SQL injection (Full Version)

All Forums >> [Web Development] >> ASP and Database



Message

jimminko -> SQL injection (3/10/2008 18:50:10)

I am told my site is vulnerable to SQL injection, but I am not sure how to handle it. Everything I have read refers to the vulnerability when entering values from a form. Mine is a link in a list populated from a database.

I am not very good with parameters, but am not able to see where the parameters should be specified or how to do it.

The page seems to be injected at "/wordbrief.asp?HeadwordID=5" (i.e. a user can change the ID in the URL?) and this seems to come from the previous page, whose (dieted ASP) code is a follows: 

   
<!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
 </SCRIPT>
<% end if %>
<%
fp_sQry="SELECT HeadwordID, Greekword, DescriptionID, StatusID FROM qryWordmenu ORDER BY Alphagreek ASC"
fp_sDefault=""
fp_sNoRecords="No records returned."
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=50
fp_fTableFormat=False
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=1
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
  <P style="margin-left: 10; margin-top: 0; margin-bottom: 5">
   <span class="grk">
   <FONT size="4">
  
 <A HREF="wordbrief.asp?HeadwordID=<%=FP_FieldURL(fp_rs,"HeadwordID")%>&DescriptionID=<%=FP_FieldURL(fp_rs,"DescriptionID")%>"><%=FP_FieldVal(fp_rs,"Greekword")%></A> 
 
</FONT></SPAN></P>
 <!--#include file="../_fpclass/fpdbrgn2.inc"-->


I hope that makes sense. I am not too clear on this one!

jimminko



Spooky -> RE: SQL injection (3/10/2008 19:37:00)

What code occurs on wordbrief.asp?



jimminko -> RE: SQL injection (3/11/2008 9:40:41)

Sorry. Thanks for the help - if I can understand how it works on this one, I can apply it to my other pages. Here's the wprdbrief.asp code: 

 <tbody>
           <!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
           </SCRIPT>
<% end if %>
<%
fp_sQry="SELECT * FROM qryWorddescription WHERE (HeadwordID =  ::HeadwordID::)"
fp_sDefault="HeadwordID="
fp_sNoRecords="<tr><td colspan=9 align=left width=""100%"">No records returned.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=9
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
           <tr>
              <td height="24"><span class="grk"><FONT size="4">
              <%=FP_FieldVal(fp_rs,"Greekword")%></font></SPAN></td>
              <td height="24" colspan="3"></td>
            </tr>
            <tr>
              <td height="24" valign="top" bgcolor="#FFFF99" >

              <b>Grammar</b></td>
              <td height="24" valign="top" WIDTH="300">
              <%=FP_FieldVal(fp_rs,"Gramtype")%>  
              <%=FP_FieldVal(fp_rs,"Gramsubclass")%> 
               <%=FP_FieldVal(fp_rs,"Declension")%></td>
            </tr>
            <tr>
              <td height="22" valign="top" bgcolor="#FFFF99">
       
  <b>Features</b></td>
              <td height="22" colspan="3" valign="top">
  <%=FP_FieldVal(fp_rs,"Neologism")%>
  <p style="line-height: 100%; margin-top: 0; margin-bottom: 0">
         </td>
            </tr>
            
            <tr>
              <td height="30" valign="top" bgcolor="#FFFF99">

  <b>Status</b></td>
              <td height="21" colspan="3" valign="top">
     <%=FP_FieldVal(fp_rs,"Status")%> <%=FP_FieldVal(fp_rs,"Personsurname")%>

           </td>
            </tr>
            
            <tr>
              <td height="25" align="center" bgcolor="#C0C0C0">
        
            
             <font face="Verdana" size="2">
               <a href="booklist.asp?HeadwordID=<%=FP_FieldURL(fp_rs,"HeadwordID")%>">Bibliography</a></font></td>
              <td height="25" colspan="3">
              <FONT size="2"><I>Last updated:</I>
 
              <%=FP_FieldVal(fp_rs,"Lastupdated")%></FONT></td>
              </tr>
              
            <!--#include file="../_fpclass/fpdbrgn2.inc"-->
</tbody>
        </table>   
        
        
   <TABLE border="1" style="border-collapse: collapse" bordercolor="#111111" cellpadding="5" cellspacing="0" ALIGN="left">
          <THEAD>
            <TR>
              <TD bgcolor="#FFFF99"><B>Morph category</B></TD>
              <TD bgcolor="#FFFF99"><B>Morphology</B></TD>
            </TR>
          </THEAD>
          <TBODY>
            <!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
            </SCRIPT>
<% end if %>
<%
fp_sQry="SELECT DISTINCT Morphcategory, Morphology FROM qryMorphology WHERE (HeadwordID =  ::HeadwordID::)"
fp_sDefault=""
fp_sNoRecords="<tr><td colspan=2 align=left width=""100%"">No data entered.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=256
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice=""
fp_sMenuValue=""
fp_iDisplayCols=2
fp_fCustomQuery=False
BOTID=1
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
<TR>
              <TD height="24">
              <%=FP_FieldVal(fp_rs,"Morphcategory")%> </TD>
              <TD><SPAN CLASS="grk">
              <%=FP_FieldVal(fp_rs,"Morphology")%> </SPAN></TD>
            </TR>
            <!--#include file="../_fpclass/fpdbrgn2.inc"-->
</TBODY>
        </TABLE>
        
        
        
 <TABLE border="1" style="border-collapse: collapse" bordercolor="#111111" cellpadding="5" cellspacing="0" ALIGN="left" height="49">
          <THEAD>
            <TR>
              <TD bgcolor="#FFFF99" height="8"><B>Occurrences</B></TD>
            </TR>
          </THEAD>
          <TBODY>
          <TR>
          <TD height="20">
          <% 
test = "SELECT DISTINCT Count(*) AS TotalCount FROM qrySources WHERE HeadwordID="& Request("HeadwordID")
Set myConn = Server.CreateObject("ADODB.Connection") 
myPath = Application("Database2_ConnectionString") 
myConn.Open myPath
mySQL = test 
Set myRS = Server.CreateObject("ADODB.RecordSet") 
myRS.Open mySQL, myConn 
FirstValue = myRS("TotalCount") 
myRS.Close 
Set myRS = Nothing 
myConn.Close 
Set myConn = Nothing 

response.write (FirstValue)

%>  </TD>

          </TR>
      </TBODY>



ou812 -> RE: SQL injection (3/11/2008 11:32:56)

Here's a quick read on injection, so you get an idea of what it is you're trying to stop: http://en.wikipedia.org/wiki/SQL_injection

So, you're basically wanting to stop your SQL from becoming a way to manipulate your database you didn't intend on. Doing something as simple as what Roger suggest should work: http://www.frontpagewebmaster.com/m-312633/key-sql%252Cinjection/tm.htm#312639 

<%
Function StripQuote(TextIn)
TextIn = Replace(TextIn,"'","''")
StripQuote = TextIn
End Function
%>

and use it like this:

sqltext =("SELECT * From tblsecure WHERE username = '" & StripQuote(Request.Form("username")) & "' AND password = '" & StripQuote(Request.Form("password")) & "'")



jimminko -> RE: SQL injection (3/16/2008 12:02:54)

Thanks for the help. I am being a bit slow on this one though. I have tried to modifying the code to this (is this the right idea?) although now it pulls up all the records and not just the selected one: 

        <!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
           </SCRIPT>
<% end if %>

<%
Function StripQuote(TextIn)
TextIn = Replace(TextIn,"'","''")
StripQuote = TextIn
End Function

fp_sQry="SELECT * FROM qryWorddescription WHERE '(HeadwordID = & StripQuote(::HeadwordID::)'"
fp_sDefault="HeadwordID="
fp_sNoRecords="<tr><td colspan=9 align=left width=""100%"">No records returned.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=9
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID

%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->



jimminko -> RE: SQL injection (3/16/2008 14:38:07)

I think I have solved it - usual untidy syntax. Placing the function at the top of the page, I now have the query as: 

fp_sQry="SELECT * FROM qryWorddescription WHERE HeadwordID="& StripQuote(Request("HeadwordID"))& ""


Could someone just confirm that this wil solve my SQL injection problem?

Many thanks,

Jimminko



Spooky -> RE: SQL injection (3/16/2008 16:12:21)

As its numeric, just use : 

fp_sQry="SELECT * FROM qryWorddescription WHERE HeadwordID="& cLng(Request("HeadwordID"))



jimminko -> RE: SQL injection (3/16/2008 19:29:18)

Thanks for the help.

Reliable as ever [:D]



Page: [1]

Valid CSS!




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI
6.445313E-02