Professional Web Applications Themes

Protecting my app from get? - ASP Database

Hi All! I am using POST in my page, but there are some places where I provide generated "links" to detail pages etc and I revert to building a query string in the URL to provide the page with appropriate data. I heard that there is something called "sql injection" attacks or something.. and I believe this leaves me open to this. How can I protect against this but still leave myself the ability to use the query string in a url? Rob :)...

  1. #1

    Default Protecting my app from get?

    Hi All!

    I am using POST in my page, but there are some places where I provide
    generated "links" to detail pages etc and I revert to building a query
    string in the URL to provide the page with appropriate data.

    I heard that there is something called "sql injection" attacks or
    something.. and I believe this leaves me open to this. How can I protect
    against this but still leave myself the ability to use the query string in a
    url?

    Rob
    :)


    Robert Guest

  2. #2

    Default Re: Protecting my app from get?

    SQL injection attacks aren't caused by querystrings. If could be from form
    data that is POSTed just as easily. It mainly has to do with how safely you
    are handling input data, regardless of its source. Read this.
    http://www.nextgenss.com/papers/advanced_sql_injection.pdf It's quite
    interesting. And at an absolute minimum, please be sure that you're at
    least dealing with input of the ' character.
    http://www.aspfaq.com/show.asp?id=2035

    Ray at home

    "Robert Mark Bram" <none> wrote in message
    news:415b4b23$0$10345$optusnet.com.au... 


    Ray Guest

  3. #3

    Default Re: Protecting my app from get?

    Hi Ray!

     

    I had a go at one of the examples with my own site. I tried to log in with
    username:
    ' or 1=1--
    and any password.

    I got this:

    Error Type:
    Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
    [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query
    expression 'username = '' or 1=1--''.
    /RobertMarkBram/login/UsersDatabase.asp, line 48

    Maybe ASP/IIS is a bit smarter now?

    Rob
    :)


    Robert Guest

  4. #4

    Default Re: Protecting my app from get?

    One suggestion stop using ODBC. This may not solve the problem, but it
    will make your application faster.

    http://www.aspfaq.com/show.asp?id=2126

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/ado_deprecated_components.asp

    Now for the error you might try looking at the articles listed in this
    search. One of them might help you I hope.

    http://www.aspfaq.com/search.asp?q=80040E14&type=ALL&category=0&numDays= 0&order=1

    Robert Mark Bram wrote:
     
    >
    >
    > I had a go at one of the examples with my own site. I tried to log in with
    > username:
    > ' or 1=1--
    > and any password.
    >
    > I got this:
    >
    > Error Type:
    > Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
    > [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query
    > expression 'username = '' or 1=1--''.
    > /RobertMarkBram/login/UsersDatabase.asp, line 48
    >
    > Maybe ASP/IIS is a bit smarter now?
    >
    > Rob
    > :)
    >
    >[/ref]

    Joker Guest

  5. #5

    Default Re: Protecting my app from get?

    Actually, that PDF is geared specifically toward SQL Server. While some of
    the things will apply in Access, not all will. In SQL, the -- indicates a
    comment. I don't believe that's the case with Access.

    But, that's not to say that something still can't be done. Example:

    <begin>
    Hi, enter the animal type to find names of people with that animal.
    <form method="post" action="injection.asp">
    <input name="animalType" type="text">
    <input type="submit">
    </form>

    <%

    If Request.ServerVariables("REQUEST_METHOD") = "POST" Then

    Dim oADO

    Set oADO = Server.CreateObject("ADODB.Connection")
    oADO.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data
    Source=d:\inetpub\wwwroot\test\test.mdb;"

    sSQL = "select firstname,lastname from users where favoritePet='" &
    Request.Form("animalType") & "'"
    Set oRS = oADO.Execute(sSQL)
    If Not oRS.EOF Then Response.Write oRS.GetString(2,," ","<br>")
    oRS.Close : Set oRS = Nothing
    oADO.Close : Set oADO = Nothing

    End If
    %>
    </end>


    But, if I'm a malicious user with some patience, I may figure out that I can
    enter this input text:

    ' or 1=1 union select username,password from users where ''='

    Okay, my sample scenario isn't the best, as I don't know why anyone would
    create a page like this, but point being, while you may expect someone to
    enter "cat" in the text box, you have to guard against someone entering
    something evil.

    Ray at home





    "Robert Mark Bram" <none> wrote in message
    news:415b766d$0$20130$optusnet.com.au... 
    >
    > I had a go at one of the examples with my own site. I tried to log in with
    > username:
    > ' or 1=1--
    > and any password.
    >
    > I got this:
    >
    > Error Type:
    > Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
    > [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query
    > expression 'username = '' or 1=1--''.
    > /RobertMarkBram/login/UsersDatabase.asp, line 48
    >
    > Maybe ASP/IIS is a bit smarter now?
    >
    > Rob
    > :)
    >
    >[/ref]


    Ray Guest

  6. #6

    Default Re: Protecting my app from get?

    Robert Mark Bram wrote: 

    In addition to Ray's information, the best protection against sql injection
    is to avoid using dynamic sql. Use parameters instead. Here are a few of my
    old posts about using saved parameter queries (Access) and stored
    procedures:

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.ph x.gbl


    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=ukS%246S%247CHA.2464%40TK2MSFTNGP1 1.phx.gbl

    http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFTNGP10.phx.gb l&oe=UTF-8&output=gplain

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.ph x.gbl

    http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=ukS%246S%247CHA.2464%40TK2MSFTNGP1 1.phx.gbl

    http://www.google.com/groups?selm=eETTdnvFDHA.1660%40TK2MSFTNGP10.phx.gb l&oe=UTF-8&output=gplain

    Bob Barrows
    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"


    Bob Guest

Similar Threads

  1. protecting SWF files
    By Mickey in forum Macromedia Flash Flashcom
    Replies: 1
    Last Post: July 20th, 02:08 PM
  2. Help with protecting pdf files
    By BigDMorris in forum Coldfusion - Advanced Techniques
    Replies: 1
    Last Post: February 17th, 12:58 PM
  3. Protecting Video
    By LLeech webforumsuser@macromedia.com in forum Macromedia Director Lingo
    Replies: 3
    Last Post: November 18th, 08:45 PM
  4. protecting CD contents
    By Rowan Ferguson in forum Macromedia Director Lingo
    Replies: 1
    Last Post: September 1st, 11:29 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139