www.webdeveloper.com
Results 1 to 11 of 11

Thread: ASP / Access - protecting from injections

Hybrid View

  1. #1
    Join Date
    Oct 2006
    Posts
    10

    ASP / Access - protecting from injections

    Hi all,

    I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.

    I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.

    All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.

    Code:
    Dim sql, rs, item_number
    item_number = Request.QueryString("product_id")
    
    sql = "SELECT * FROM products WHERE product_id=" & item_number
    Set rs = objConn.Execute(sql)
    
    If rs.EOF Then 'if no records
    	Response.Write("No record to display")
    Else
    %>
    <p><%=rs("product_id") %></p>
    <p><%=rs("product_title") %></p>
    <p><%=rs("product_type") %></p>
    <%
    End if
    %>
    The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5

    I've removed a lot of the styling and if statements from the code here, to make it easier to read through.

    Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?

    Thank you very much for your time and help

  2. #2
    Join Date
    Oct 2006
    Posts
    10
    Sorry, could someone please delete this threat? It's a duplicate of the thread above

  3. #3
    Join Date
    Apr 2010
    Posts
    57
    I am not an expert but 3 things I have done are:

    1. Set up two separate database connections. 1 read only, the other read-write. Set your SELECT statements using the READ ONLY connection. UPDATES, DELETES, INSERTS use Read-write.

    2. For item_number = Request.QueryString("product_id") make it

    item_number = Replace(Request.QueryString("product_id"),"'","''")

    using the escape for the apostrophe

    3. Check out this script:

    http://blogs.iis.net/nazim/archive/2...assic-asp.aspx

    Good luck!

  4. #4
    Join Date
    Oct 2006
    Posts
    10

    XSS injections and hidden spam links

    Thanks, I will do those things you mentioned.

    So far I've gone around and tightened the security on all the different web pages, and plugged potential holes which could cause cross site scripting.

    My homepage (index.asp) of my static website keeps getting hacked and the file constantly has hidden spam links injected at the end of it, after the </html> tag.

    I'm still trying to figure out how they're getting in. I've already changed the FTP and Control Panel password, tightened the file permissions through Control Panel, and I'm working on securing the website against cross site scripting. But I still can't figure out how the hackers are getting in, and our web host haven't been able to help much in this matter.

  5. #5
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    Didn't we just address this in another thread?

    As long as you validate every variable being sent to every query, you will be protected. No need for separate connections.

  6. #6
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    Also be very careful implementing global code like Square suggested. That code globally checks all form fields, querystrings.. which means if someone fills out a form address field and lives on Killearn Street the submit will fail (kill exists in the blacklist).. you get the point.. always best to validate every variable.

  7. #7
    Join Date
    Apr 2010
    Posts
    57
    Quote Originally Posted by yamaharuss View Post
    Also be very careful implementing global code like Square suggested. That code globally checks all form fields, querystrings.. which means if someone fills out a form address field and lives on Killearn Street the submit will fail (kill exists in the blacklist).. you get the point.. always best to validate every variable.
    Yes, I 100% agree. And I did have to fine-tune the list.

    If you use 2 connections you will have to validate a LOT less variables. As the bulk of my statements are SELECT read only statements, separating them out meant I had to validate about 1/4 the amount of variables.

  8. #8
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    A word of caution using dual connections.. be sure you handle your errors properly. You do not want to give out your data structure to anyone, especially someone looking to do harm in the first place.

  9. #9
    Join Date
    Apr 2010
    Posts
    57
    Quote Originally Posted by yamaharuss View Post
    A word of caution using dual connections.. be sure you handle your errors properly. You do not want to give out your data structure to anyone, especially someone looking to do harm in the first place.
    What do you recommend as best practice for handling errors?

  10. #10
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    There are several ways top handle errors. Write your own, create a custom 500 page and email errors to yourself (recommended)..

    http://www.4guysfromrolla.com/webtech/060399-1.shtml

  11. #11
    Join Date
    Apr 2010
    Posts
    57
    Thank you YamahaRuss

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles