ASP / Access - protecting from injections
I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.
I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.
All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.
The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5
Dim sql, rs, item_number
item_number = Request.QueryString("product_id")
sql = "SELECT * FROM products WHERE product_id=" & item_number
Set rs = objConn.Execute(sql)
If rs.EOF Then 'if no records
Response.Write("No record to display")
I've removed a lot of the styling and if statements from the code here, to make it easier to read through.
Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?
Thank you very much for your time and help
Sorry, could someone please delete this threat? It's a duplicate of the thread above
I am not an expert but 3 things I have done are:
1. Set up two separate database connections. 1 read only, the other read-write. Set your SELECT statements using the READ ONLY connection. UPDATES, DELETES, INSERTS use Read-write.
2. For item_number = Request.QueryString("product_id") make it
item_number = Replace(Request.QueryString("product_id"),"'","''")
using the escape for the apostrophe
3. Check out this script:
XSS injections and hidden spam links
Thanks, I will do those things you mentioned.
So far I've gone around and tightened the security on all the different web pages, and plugged potential holes which could cause cross site scripting.
My homepage (index.asp) of my static website keeps getting hacked and the file constantly has hidden spam links injected at the end of it, after the </html> tag.
I'm still trying to figure out how they're getting in. I've already changed the FTP and Control Panel password, tightened the file permissions through Control Panel, and I'm working on securing the website against cross site scripting. But I still can't figure out how the hackers are getting in, and our web host haven't been able to help much in this matter.
Didn't we just address this in another thread?
As long as you validate every variable being sent to every query, you will be protected. No need for separate connections.
Also be very careful implementing global code like Square suggested. That code globally checks all form fields, querystrings.. which means if someone fills out a form address field and lives on Killearn Street the submit will fail (kill exists in the blacklist).. you get the point.. always best to validate every variable.
Yes, I 100% agree. And I did have to fine-tune the list.
Originally Posted by yamaharuss
If you use 2 connections you will have to validate a LOT less variables. As the bulk of my statements are SELECT read only statements, separating them out meant I had to validate about 1/4 the amount of variables.
A word of caution using dual connections.. be sure you handle your errors properly. You do not want to give out your data structure to anyone, especially someone looking to do harm in the first place.
What do you recommend as best practice for handling errors?
Originally Posted by yamaharuss
There are several ways top handle errors. Write your own, create a custom 500 page and email errors to yourself (recommended)..
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread