ASP / Access - protecting from injections
Hi all,
I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.
I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.
All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.
Code:
Dim sql, rs, item_number
item_number = Request.QueryString("product_id")
sql = "SELECT * FROM products WHERE product_id=" & item_number
Set rs = objConn.Execute(sql)
If rs.EOF Then 'if no records
Response.Write("No record to display")
Else
%>
<p><%=rs("product_id") %></p>
<p><%=rs("product_title") %></p>
<p><%=rs("product_type") %></p>
<%
End if
%>
The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5
I've removed a lot of the styling and if statements from the code here, to make it easier to read through.
Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?
Thank you very much for your time and help
XSS injections and hidden spam links
Thanks, I will do those things you mentioned.
So far I've gone around and tightened the security on all the different web pages, and plugged potential holes which could cause cross site scripting.
My homepage (index.asp) of my static website keeps getting hacked and the file constantly has hidden spam links injected at the end of it, after the </html> tag.
I'm still trying to figure out how they're getting in. I've already changed the FTP and Control Panel password, tightened the file permissions through Control Panel, and I'm working on securing the website against cross site scripting. But I still can't figure out how the hackers are getting in, and our web host haven't been able to help much in this matter.
