Ask a Question related to ASP.NET Security, Design and Development.
-
hoz #1
how to protect web server against SQL Injection ?
i didnt find any information where to start . please write something
hoz Guest
-
SQL Injection
Hi, I have to check all textboxes in my web application for SQL injection. Is there any ready product that detect SQL inhection patterns? A... -
What is CF injection?
Hello people We are doing a security revision of our application, with the help of some consultants. They alerted us to the risc of ColdFusion... -
SQL Injection Vulnerabilities
In the May 29th, 2005 listserv message from cflib.org, they mention this function, sqlSafe(): http://www.cflib.org/udf.cfm?id=1219 The function... -
Has ColdFusion MX taken care of SQL injection ?
Has ColdFusion MX taken care of SQL injection ? The reason is that when I tried to test my own application without using <cfqueryparam ...> it... -
Preventing SQL Injection Attacks
In article <qdu3gvs8qq052805u6rtb08gmc1bblv5oc@4ax.com>, James wrote: This is an option and most effective: $query = "select * from sample... -
Yunus Emre ALPÖZEN #2 Re: how to protect web server against SQL Injection ?
just use stored procedures.. It is a certain solution...
--
Thanks,
Yunus Emre ALPÖZEN
"hoz" <ask@me.com> wrote in message
news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...>i didnt find any information where to start . please write something
>
>
Yunus Emre ALPÖZEN Guest
-
hoz #3 Re: how to protect web server against SQL Injection ?
Hi ,
i have already used sp but i am not sure if this would be sufficient.
I am going to read your articles .
Saygilarla
Hasan
"Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...> just use stored procedures.. It is a certain solution...
>
> --
> Thanks,
> Yunus Emre ALPÖZEN
>
>
>
> "hoz" <ask@me.com> wrote in message
> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...>> >i didnt find any information where to start . please write something
> >
> >
>
hoz Guest
-
Ken Schaefer #4 Re: how to protect web server against SQL Injection ?
Use parametised queries and stored procedures. As long as you don't execute
(using Exec()) arbitrary strings in your sprocs, you should be fine.
Cheers
Ken
"hoz" <ask@me.com> wrote in message
news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...> Hi ,
> i have already used sp but i am not sure if this would be sufficient.
> I am going to read your articles .
> Saygilarla
> Hasan
> "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
> news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...>>> just use stored procedures.. It is a certain solution...
>>
>> --
>> Thanks,
>> Yunus Emre ALPÖZEN
>>
>>
>>
>> "hoz" <ask@me.com> wrote in message
>> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...>>>> >i didnt find any information where to start . please write something
>> >
>> >
>>
>
Ken Schaefer Guest
-
hoz #5 Re: how to protect web server against SQL Injection ?
Thanks for your answer .
I think i have already solved my question at the begining , using sp's
"Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...execute> Use parametised queries and stored procedures. As long as you don't> (using Exec()) arbitrary strings in your sprocs, you should be fine.
>
> Cheers
> Ken
>
>
> "hoz" <ask@me.com> wrote in message
> news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...>> > Hi ,
> > i have already used sp but i am not sure if this would be sufficient.
> > I am going to read your articles .
> > Saygilarla
> > Hasan
> > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
> > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...> >> >> just use stored procedures.. It is a certain solution...
> >>
> >> --
> >> Thanks,
> >> Yunus Emre ALPÖZEN
> >>
> >>
> >>
> >> "hoz" <ask@me.com> wrote in message
> >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
> >> >i didnt find any information where to start . please write something
> >> >
> >> >
> >>
> >>
> >
>
hoz Guest
-
Andy G #6 Re: how to protect web server against SQL Injection ?
Here is something to look at, I call this function and pass the typed in
username and password to this function before hashing, calling any stored
procedures, and doing any authentication that you might be doing. I think
someone else passed this on to me previously....
Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As String
' Make the following replacements:
' ' becomes ''
' [ becomes [[]
' % becomes [%]
' _ becomes [_]
Dim s As String = inputSQL
s = inputSQL.Replace("'", "''")
s = s.Replace("[", "[[]")
s = s.Replace("%", "[%]")
s = s.Replace("_", "[_]")
Return (s)
End Function
"hoz" <ask@me.com> wrote in message
news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...> Thanks for your answer .
> I think i have already solved my question at the begining , using sp's
>
> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...> execute> > Use parametised queries and stored procedures. As long as you don't>> > (using Exec()) arbitrary strings in your sprocs, you should be fine.
> >
> > Cheers
> > Ken
> >
> >
> > "hoz" <ask@me.com> wrote in message
> > news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...> >> > > Hi ,
> > > i have already used sp but i am not sure if this would be sufficient.
> > > I am going to read your articles .
> > > Saygilarla
> > > Hasan
> > > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
> > > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
> > >> just use stored procedures.. It is a certain solution...
> > >>
> > >> --
> > >> Thanks,
> > >> Yunus Emre ALPÖZEN
> > >>
> > >>
> > >>
> > >> "hoz" <ask@me.com> wrote in message
> > >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
> > >> >i didnt find any information where to start . please write something
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
>
Andy G Guest
-
Ken Schaefer #7 Re: how to protect web server against SQL Injection ?
Stored procedures are not enough.
Parametised Queries are required as well.
Cheers
Ken
"hoz" <ask@me.com> wrote in message
news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...> Thanks for your answer .
> I think i have already solved my question at the begining , using sp's
>
> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...> execute>> Use parametised queries and stored procedures. As long as you don't>>> (using Exec()) arbitrary strings in your sprocs, you should be fine.
>>
>> Cheers
>> Ken
>>
>>
>> "hoz" <ask@me.com> wrote in message
>> news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...>>>> > Hi ,
>> > i have already used sp but i am not sure if this would be sufficient.
>> > I am going to read your articles .
>> > Saygilarla
>> > Hasan
>> > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
>> > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
>> >> just use stored procedures.. It is a certain solution...
>> >>
>> >> --
>> >> Thanks,
>> >> Yunus Emre ALPÖZEN
>> >>
>> >>
>> >>
>> >> "hoz" <ask@me.com> wrote in message
>> >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
>> >> >i didnt find any information where to start . please write something
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>
Ken Schaefer Guest
-
Ken Schaefer #8 Re: how to protect web server against SQL Injection ?
I would say that trying to use functions like this is a waste of time...
Cheers
Ken
"Andy G" <ajgould@iastate.edu> wrote in message
news:eI19wEjCFHA.3592@TK2MSFTNGP09.phx.gbl...> Here is something to look at, I call this function and pass the typed in
> username and password to this function before hashing, calling any stored
> procedures, and doing any authentication that you might be doing. I think
> someone else passed this on to me previously....
>
> Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As
> String
>
> ' Make the following replacements:
>
> ' ' becomes ''
>
> ' [ becomes [[]
>
> ' % becomes [%]
>
> ' _ becomes [_]
>
> Dim s As String = inputSQL
>
> s = inputSQL.Replace("'", "''")
>
> s = s.Replace("[", "[[]")
>
> s = s.Replace("%", "[%]")
>
> s = s.Replace("_", "[_]")
>
> Return (s)
>
> End Function
>
>
>
>
>
> "hoz" <ask@me.com> wrote in message
> news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...>>> Thanks for your answer .
>> I think i have already solved my question at the begining , using sp's
>>
>> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
>> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...>> execute>> > Use parametised queries and stored procedures. As long as you don't>>>> > (using Exec()) arbitrary strings in your sprocs, you should be fine.
>> >
>> > Cheers
>> > Ken
>> >
>> >
>> > "hoz" <ask@me.com> wrote in message
>> > news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...
>> > > Hi ,
>> > > i have already used sp but i am not sure if this would be
>> > > sufficient.
>> > > I am going to read your articles .
>> > > Saygilarla
>> > > Hasan
>> > > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
>> > > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
>> > >> just use stored procedures.. It is a certain solution...
>> > >>
>> > >> --
>> > >> Thanks,
>> > >> Yunus Emre ALPÖZEN
>> > >>
>> > >>
>> > >>
>> > >> "hoz" <ask@me.com> wrote in message
>> > >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > >> >i didnt find any information where to start . please write
>> > >> >something
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >
>> > >
>> >
>> >
>>
>
Ken Schaefer Guest
-
Yunus Emre ALPÖZEN #9 Re: how to protect web server against SQL Injection ?
I don't agree with you. What happens if user try injection with escaped
characters??? It depends on your database management system. Assume that
your DBMS uses \ as escaped character. But just think about \' character.
Your code will change this string as follows \'' which is valid for sql
injection.
To test SQL Injection generally use something like this:
a' OR 1=1--
For your case, it becomes as a\' OR 1=1
And also i would like to ask something to Ken Schaefer. Is there any example
that stored procedures are not enough?
In MSDN TV, I watched something about MS SQL Server which introduces stored
procedures as a unique solution for sql injection attacks.. Are u sure?
--
Thanks,
Yunus Emre ALPÖZEN
"Andy G" <ajgould@iastate.edu> wrote in message
news:eI19wEjCFHA.3592@TK2MSFTNGP09.phx.gbl...> Here is something to look at, I call this function and pass the typed in
> username and password to this function before hashing, calling any stored
> procedures, and doing any authentication that you might be doing. I think
> someone else passed this on to me previously....
>
> Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As
> String
>
> ' Make the following replacements:
>
> ' ' becomes ''
>
> ' [ becomes [[]
>
> ' % becomes [%]
>
> ' _ becomes [_]
>
> Dim s As String = inputSQL
>
> s = inputSQL.Replace("'", "''")
>
> s = s.Replace("[", "[[]")
>
> s = s.Replace("%", "[%]")
>
> s = s.Replace("_", "[_]")
>
> Return (s)
>
> End Function
>
>
>
>
>
> "hoz" <ask@me.com> wrote in message
> news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...>>> Thanks for your answer .
>> I think i have already solved my question at the begining , using sp's
>>
>> "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
>> news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...>> execute>> > Use parametised queries and stored procedures. As long as you don't>>>> > (using Exec()) arbitrary strings in your sprocs, you should be fine.
>> >
>> > Cheers
>> > Ken
>> >
>> >
>> > "hoz" <ask@me.com> wrote in message
>> > news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...
>> > > Hi ,
>> > > i have already used sp but i am not sure if this would be
>> > > sufficient.
>> > > I am going to read your articles .
>> > > Saygilarla
>> > > Hasan
>> > > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
>> > > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
>> > >> just use stored procedures.. It is a certain solution...
>> > >>
>> > >> --
>> > >> Thanks,
>> > >> Yunus Emre ALPÖZEN
>> > >>
>> > >>
>> > >>
>> > >> "hoz" <ask@me.com> wrote in message
>> > >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
>> > >> >i didnt find any information where to start . please write
>> > >> >something
>> > >> >
>> > >> >
>> > >>
>> > >>
>> > >
>> > >
>> >
>> >
>>
>
Yunus Emre ALPÖZEN Guest
-
hoz #10 Re: how to protect web server against SQL Injection ?
i am certainly sure if sp are enough .
But i think also , Parametised Queries are waste of sources.
if a user enters " ' " to try to replace . When user enters the ascii code
of " ' " , what will happen ? and so on . you cant check it everything i
think.
"Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
news:#01iqXoCFHA.3416@TK2MSFTNGP09.phx.gbl...sufficient.> Stored procedures are not enough.
>
> Parametised Queries are required as well.
>
> Cheers
> Ken
>
>
> "hoz" <ask@me.com> wrote in message
> news:OHgjZ%23QCFHA.3092@TK2MSFTNGP10.phx.gbl...> > Thanks for your answer .
> > I think i have already solved my question at the begining , using sp's
> >
> > "Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
> > news:ONpm0pNCFHA.3504@TK2MSFTNGP12.phx.gbl...> > execute> >> Use parametised queries and stored procedures. As long as you don't> >> (using Exec()) arbitrary strings in your sprocs, you should be fine.
> >>
> >> Cheers
> >> Ken
> >>
> >>
> >> "hoz" <ask@me.com> wrote in message
> >> news:edVOgd4BFHA.1452@TK2MSFTNGP11.phx.gbl...
> >> > Hi ,
> >> > i have already used sp but i am not sure if this would besomething> >> > I am going to read your articles .
> >> > Saygilarla
> >> > Hasan
> >> > "Yunus Emre ALPÖZEN" <yemre@msakademik.net> wrote in message
> >> > news:eA9WwV4BFHA.612@TK2MSFTNGP09.phx.gbl...
> >> >> just use stored procedures.. It is a certain solution...
> >> >>
> >> >> --
> >> >> Thanks,
> >> >> Yunus Emre ALPÖZEN
> >> >>
> >> >>
> >> >>
> >> >> "hoz" <ask@me.com> wrote in message
> >> >> news:u4%23$$y3BFHA.3504@TK2MSFTNGP12.phx.gbl...
> >> >> >i didnt find any information where to start . please write>> >> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
>
hoz Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
