SQL Injection

SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input from the web and then generate dynamic SQL which is then executed through back-end code.

Protecting Applications from SQL Injection


The first thing to do is to protect SQL queries by implementing sanitization techniques for all input received from any ASP request object:

(Request, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables).


Customers “sanitization” routines will vary, but below are examples for MS SQL Server.


In the below example, the script is expecting two variables (txtUserName, txtPassword) of type string to be passed. When a single quote is inserted in a parameter, it allows the user to manipulate the command being executed. To prevent the threat of SQL injection, escape the single quotes using the Replace function, like so:

p_strUsername = Replace(Request.Form("txtUsername"), "'", "''")
p_strPassword = Replace(Request.Form("txtPassword"), "'", "''")


In the next example the ID (customerID, etc) will be used. The script is expecting a variable (ID) of type integer to be passed to it. Unauthorized SQL commands can be executed by appending SQL to the ID parameter. To prevent this type of SQL injection, customers can restrict the input to a integer using CLng, like so:


p_lngID = CLng(Request("ID"))


If the user tries to pass in a string, the CLng function will generate an error.


To further reduce the risk of SQL injection, be sure that to remove any technical information from client-delivered error messages. Error messages often reveal technical details that can enable an attacker to reveal vulnerable entry points. This includes any custom messages your application generates as well as IIS-generated errors. You can implement this by creating non-technical custom error pages.

Another method of preventing SQL injections is to use Stored Procedures. By using Stored Procedures, you make your database nearly impossible for a SQL injection to occur. Stored procedures can secure your database by restricting objects within the database to specific accounts, and permitting the accounts to just execute stored procedures.

More information here
SQL Injection

Microsoft Source Code Analyzer for SQL Injection
http://www.microsoft.com/downloads/details.aspx?FamilyID=58a7c46e-a599-4fcb-9ab4-a4334146b6ba&DisplayLang=en



CF SQL Injection:<\br>
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself

Add Feedback