|
| |
|
|
jimminko
Posts: 58
Joined: 5/10/2003
From: Cambridge, UK
Status: offline
 |
SQL injection - 3/10/2008 18:50:10
I am told my site is vulnerable to SQL injection, but I am not sure how to handle it. Everything I have read refers to the vulnerability when entering values from a form. Mine is a link in a list populated from a database.
I am not very good with parameters, but am not able to see where the parameters should be specified or how to do it.
The page seems to be injected at "/wordbrief.asp?HeadwordID=5" (i.e. a user can change the ID in the URL?) and this seems to come from the previous page, whose (dieted ASP) code is a follows:
<!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
</SCRIPT>
<% end if %>
<%
fp_sQry="SELECT HeadwordID, Greekword, DescriptionID, StatusID FROM qryWordmenu ORDER BY Alphagreek ASC"
fp_sDefault=""
fp_sNoRecords="No records returned."
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=50
fp_fTableFormat=False
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=1
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
<P style="margin-left: 10; margin-top: 0; margin-bottom: 5">
<span class="grk">
<FONT size="4">
<A HREF="wordbrief.asp?HeadwordID=<%=FP_FieldURL(fp_rs,"HeadwordID")%>&DescriptionID=<%=FP_FieldURL(fp_rs,"DescriptionID")%>"><%=FP_FieldVal(fp_rs,"Greekword")%></A>
</FONT></SPAN></P>
<!--#include file="../_fpclass/fpdbrgn2.inc"-->
I hope that makes sense. I am not too clear on this one!
jimminko
|
|
|
|
jimminko
Posts: 58
Joined: 5/10/2003
From: Cambridge, UK
Status: offline
|
RE: SQL injection - 3/11/2008 9:40:41
Sorry. Thanks for the help - if I can understand how it works on this one, I can apply it to my other pages. Here's the wprdbrief.asp code:
<tbody>
<!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
</SCRIPT>
<% end if %>
<%
fp_sQry="SELECT * FROM qryWorddescription WHERE (HeadwordID = ::HeadwordID::)"
fp_sDefault="HeadwordID="
fp_sNoRecords="<tr><td colspan=9 align=left width=""100%"">No records returned.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=9
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
<tr>
<td height="24"><span class="grk"><FONT size="4">
<%=FP_FieldVal(fp_rs,"Greekword")%></font></SPAN></td>
<td height="24" colspan="3"></td>
</tr>
<tr>
<td height="24" valign="top" bgcolor="#FFFF99" >
<b>Grammar</b></td>
<td height="24" valign="top" WIDTH="300">
<%=FP_FieldVal(fp_rs,"Gramtype")%>
<%=FP_FieldVal(fp_rs,"Gramsubclass")%>
<%=FP_FieldVal(fp_rs,"Declension")%></td>
</tr>
<tr>
<td height="22" valign="top" bgcolor="#FFFF99">
<b>Features</b></td>
<td height="22" colspan="3" valign="top">
<%=FP_FieldVal(fp_rs,"Neologism")%>
<p style="line-height: 100%; margin-top: 0; margin-bottom: 0">
</td>
</tr>
<tr>
<td height="30" valign="top" bgcolor="#FFFF99">
<b>Status</b></td>
<td height="21" colspan="3" valign="top">
<%=FP_FieldVal(fp_rs,"Status")%> <%=FP_FieldVal(fp_rs,"Personsurname")%>
</td>
</tr>
<tr>
<td height="25" align="center" bgcolor="#C0C0C0">
<font face="Verdana" size="2">
<a href="booklist.asp?HeadwordID=<%=FP_FieldURL(fp_rs,"HeadwordID")%>">Bibliography</a></font></td>
<td height="25" colspan="3">
<FONT size="2"><I>Last updated:</I>
<%=FP_FieldVal(fp_rs,"Lastupdated")%></FONT></td>
</tr>
<!--#include file="../_fpclass/fpdbrgn2.inc"-->
</tbody>
</table>
<TABLE border="1" style="border-collapse: collapse" bordercolor="#111111" cellpadding="5" cellspacing="0" ALIGN="left">
<THEAD>
<TR>
<TD bgcolor="#FFFF99"><B>Morph category</B></TD>
<TD bgcolor="#FFFF99"><B>Morphology</B></TD>
</TR>
</THEAD>
<TBODY>
<!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
</SCRIPT>
<% end if %>
<%
fp_sQry="SELECT DISTINCT Morphcategory, Morphology FROM qryMorphology WHERE (HeadwordID = ::HeadwordID::)"
fp_sDefault=""
fp_sNoRecords="<tr><td colspan=2 align=left width=""100%"">No data entered.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=256
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice=""
fp_sMenuValue=""
fp_iDisplayCols=2
fp_fCustomQuery=False
BOTID=1
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
<TR>
<TD height="24">
<%=FP_FieldVal(fp_rs,"Morphcategory")%> </TD>
<TD><SPAN CLASS="grk">
<%=FP_FieldVal(fp_rs,"Morphology")%> </SPAN></TD>
</TR>
<!--#include file="../_fpclass/fpdbrgn2.inc"-->
</TBODY>
</TABLE>
<TABLE border="1" style="border-collapse: collapse" bordercolor="#111111" cellpadding="5" cellspacing="0" ALIGN="left" height="49">
<THEAD>
<TR>
<TD bgcolor="#FFFF99" height="8"><B>Occurrences</B></TD>
</TR>
</THEAD>
<TBODY>
<TR>
<TD height="20">
<%
test = "SELECT DISTINCT Count(*) AS TotalCount FROM qrySources WHERE HeadwordID="& Request("HeadwordID")
Set myConn = Server.CreateObject("ADODB.Connection")
myPath = Application("Database2_ConnectionString")
myConn.Open myPath
mySQL = test
Set myRS = Server.CreateObject("ADODB.RecordSet")
myRS.Open mySQL, myConn
FirstValue = myRS("TotalCount")
myRS.Close
Set myRS = Nothing
myConn.Close
Set myConn = Nothing
response.write (FirstValue)
%> </TD>
</TR>
</TBODY>
| |
|
|
|
ou812
Posts: 1538
Joined: 1/5/2002
From: San Diego
Status: offline
|
RE: SQL injection - 3/11/2008 11:32:56
Here's a quick read on injection, so you get an idea of what it is you're trying to stop: http://en.wikipedia.org/wiki/SQL_injection
So, you're basically wanting to stop your SQL from becoming a way to manipulate your database you didn't intend on. Doing something as simple as what Roger suggest should work: http://www.frontpagewebmaster.com/m-312633/key-sql%252Cinjection/tm.htm#312639
<%
Function StripQuote(TextIn)
TextIn = Replace(TextIn,"'","''")
StripQuote = TextIn
End Function
%>
and use it like this:
sqltext =("SELECT * From tblsecure WHERE username = '" & StripQuote(Request.Form("username")) & "' AND password = '" & StripQuote(Request.Form("password")) & "'")
_____________________________
-brian
EnterpriseDB: Enterprise-class relational database management system
PostgreSQL: The world's most advanced open source database
| |
|
|
|
jimminko
Posts: 58
Joined: 5/10/2003
From: Cambridge, UK
Status: offline
|
RE: SQL injection - 3/16/2008 12:02:54
Thanks for the help. I am being a bit slow on this one though. I have tried to modifying the code to this (is this the right idea?) although now it pulls up all the records and not just the selected one:
<!--#include file="../_fpclass/fpdblib.inc"-->
<% if 0 then %>
<SCRIPT Language="JavaScript">
document.write("<div style='background: yellow; color: black;'>The Database Results component on this page is unable to display database content. The page must have a filename ending in '.asp', and the web must be hosted on a server that supports Active Server Pages.</div>");
</SCRIPT>
<% end if %>
<%
Function StripQuote(TextIn)
TextIn = Replace(TextIn,"'","''")
StripQuote = TextIn
End Function
fp_sQry="SELECT * FROM qryWorddescription WHERE '(HeadwordID = & StripQuote(::HeadwordID::)'"
fp_sDefault="HeadwordID="
fp_sNoRecords="<tr><td colspan=9 align=left width=""100%"">No records returned.</td></tr>"
fp_sDataConn="Database2"
fp_iMaxRecords=0
fp_iCommandType=1
fp_iPageSize=5
fp_fTableFormat=True
fp_fMenuFormat=False
fp_sMenuChoice="Greekword"
fp_sMenuValue="Greekword"
fp_iDisplayCols=9
fp_fCustomQuery=False
BOTID=0
fp_iRegion=BOTID
%>
<!--#include file="../_fpclass/fpdbrgn1.inc"-->
| |
|
|
|
jimminko
Posts: 58
Joined: 5/10/2003
From: Cambridge, UK
Status: offline
|
RE: SQL injection - 3/16/2008 14:38:07
I think I have solved it - usual untidy syntax. Placing the function at the top of the page, I now have the query as:
fp_sQry="SELECT * FROM qryWorddescription WHERE HeadwordID="& StripQuote(Request("HeadwordID"))& ""
Could someone just confirm that this wil solve my SQL injection problem?
Many thanks,
Jimminko
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
k¥ 
