Help with ASP and SQL security.

I'm looking for some general security help and have to admit I'm at a bit of a loss. I've been reading through this forum for a couple hours now and see a number of different threads on these issues, but nowhere can I find someplace where relative ASP/SQL newbies can get some answers.

I build small ASP CMS systems using DreamWeaver (including their login script) and I'm having problems with sites being hacked. The sites are hosted by a hosting company so I don't think the actual server is the issue, but more likely is with some problems in the code. The problem is that people are somehow able to bypass the login page and actually change the database containing the site's information (either by adding new records, modifying existing ones or deleting records compoletely).

I've seen the threads on SQL injection and think that might be the problem, but I guess I'm looking for a couple things:
- how can I find out how people are bypassing the login page?
- what changes do I need to make to the code to fix it?

I'm not averse to a lot of reading if needed, but I don't have any idea even where I should start so any suggestions would be greatly apprecitated.

Moved to the windows security forum.

You should start by reviewing the tons of documentation at the MSDN library and Microsoft Technet. Then do some google searches for asp security and you'll have thousands of returns.

Just because your seeing a website being hacked doesn't mean the actual intrusion came via the web. There could be a disgruntled employee at the server site, an internal LAN hack via the server network, or any of a lot of other mechanisms that might compromise a windows server.

You might start with some thorough reviews of your server event logs, and make sure appropriate event auditing is enabled, and look at the web server logs. Make sure your server is firewalled, has a current antivirus/antispyware running, and so forth.

This isn't a Windows question. If its a question of security on the server, I'm just plain out of luck.

What I'm looking for is how to lock down my ASP and SQL code to make sure that's not where the problem lies. Any suggestions?

it's sounds like an issue of SQL Injection. run a google search on that and read some info.

Oh well, good luck on getting your problem resolved anyway ...

The dreamweaver login scripts are light on validation, but they include some sql injection prevention code, well at least a replace for single quotes which is a big issue.

Is your login checking against text fields? If so the replace should be proficient against sql injections.
If there is a number field check then you may want to add some validation