www.webdeveloper.com
Results 1 to 3 of 3

Thread: [RESOLVED] ASP / Access - protecting from injections

Hybrid View

  1. #1
    Join Date
    Oct 2006
    Posts
    10

    resolved [RESOLVED] ASP / Access - protecting from injections

    Hi all,

    I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.

    I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.

    All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.

    Code:
    Dim sql, rs, item_number
    item_number = Request.QueryString("product_id")
    
    sql = "SELECT * FROM products WHERE product_id=" & item_number
    Set rs = objConn.Execute(sql)
    
    If rs.EOF Then 'if no records
    	Response.Write("No record to display")
    Else
    %>
    <p><%=rs("product_id") %></p>
    <p><%=rs("product_title") %></p>
    <p><%=rs("product_type") %></p>
    <%
    End if
    %>
    The product_id is passed through the URL from the previous page, such as http://www.website.com/products/index.asp?product_id=5

    Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?

    Edit: Do I just change line 2 of the code from:
    item_number = Request.QueryString("product_id")

    to

    item_number = CLng(Request.QueryString("product_id"))

    Thank you very much for your time and help

  2. #2
    Join Date
    Jan 2008
    Location
    Florida
    Posts
    1,227
    A querystring is absolutely open for injection.

    Your solution is one way to avoid injection but it will only cause an error and what if no querystring variable is provided? That will throw an error too.

    The best way to handle it would be to convert it to a zero if it is not a valid numeric value, then your recordset would simply show no results.

    Code:
    item_number = Request.QueryString("product_id")
    If item_number = "" then item_number = 0
    If not isnumeric(item_number) then item_number = 0
    That's all you need to do, now you let your query run no matter what is passed.

  3. #3
    Join Date
    Oct 2006
    Posts
    10
    Thank you very much, yamaharuss! Thanks a million!

    I tried it out, and it works really well, and the error handling is much more graceful than mine was. So thank you so much!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles