Geek Answers Handbook

Classic ASP SQL Injection

I recently inherited a classic asp website with tons of built-in SQL insert statements that are vulnerable to SQL injection.

These insert instructions are executed through the ADO command object.

Will the ADO Command Object Prepared property be set to true so that the query is parameterized before execution, thereby reducing the risk of SQL injection?

+7
sql-injection asp-classic
source share
5 answers

This link should be helpful.

Classic ASP SQL Injection Protection

+6
source share

No, if you create an SQL string with values ​​that you get directly from the "outside", then the "prepared statement" will not help you.

a

sSQL = "SELECT * from mytable where mycolumn = '" + querystring("value") + "'"

still asking for trouble. The only way to solve this is to use the parameters in your request.

+6
source share

You can also watch the classic open source Asp project called "Owasp stinger". This not only helps with Sql injection, but also embeds the header and many other security issues common to all web applications.

http://www.owasp.org/index.php/Classic_ASP_Security_Project

+2
source share

Here is another good link and example.

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

In the past, we simply created a couple of functions to handle any external input for SQL injection and XSS. Then, slowly, we converted all of the embedded SQL into stored procedures.

0
source share

I would suggest you write a function to sanitize user input, and then run all the query variables. When I wrote my book, I did something like:

  • avoid single quotes
  • delete and other special characters and
  • make sure you were unable to - (comment) the end of the report.

Most SQL injections will try something like ' or 1=1 or a=' so the SQL code:

 SELECT * from mytable where mycolumn = '' or 1=1 or a=''

Thus, escaping single quotes is really a big issue that you need to worry about.

-2
source share

More articles:


All Articles