|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| ||||||||||||||||||||||||||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
January 3rd, 2007, 12:17 PM
|
|||
|
|||
|
Help with ASP and SQL security.
I'm looking for some general security help and have to admit I'm at a bit of a loss. I've been reading through this forum for a couple hours now and see a number of different threads on these issues, but nowhere can I find someplace where relative ASP/SQL newbies can get some answers.
I build small ASP CMS systems using DreamWeaver (including their login script) and I'm having problems with sites being hacked. The sites are hosted by a hosting company so I don't think the actual server is the issue, but more likely is with some problems in the code. The problem is that people are somehow able to bypass the login page and actually change the database containing the site's information (either by adding new records, modifying existing ones or deleting records compoletely). I've seen the threads on SQL injection and think that might be the problem, but I guess I'm looking for a couple things: - how can I find out how people are bypassing the login page? - what changes do I need to make to the code to fix it? I'm not averse to a lot of reading if needed, but I don't have any idea even where I should start so any suggestions would be greatly apprecitated.
|
|
#2
January 3rd, 2007, 03:22 PM
|
|||
|
|||
|
Moved to the windows security forum.
You should start by reviewing the tons of documentation at the MSDN library and Microsoft Technet. Then do some google searches for asp security and you'll have thousands of returns. Just because your seeing a website being hacked doesn't mean the actual intrusion came via the web. There could be a disgruntled employee at the server site, an internal LAN hack via the server network, or any of a lot of other mechanisms that might compromise a windows server. You might start with some thorough reviews of your server event logs, and make sure appropriate event auditing is enabled, and look at the web server logs. Make sure your server is firewalled, has a current antivirus/antispyware running, and so forth.
__________________
====== Doug G ====== I didn't attend the funeral, but I sent a nice letter saying I approved of it. --Mark Twain
|
|
#3
January 9th, 2007, 04:47 PM
|
|||
|
|||
|
This isn't a Windows question. If its a question of security on the server, I'm just plain out of luck.
What I'm looking for is how to lock down my ASP and SQL code to make sure that's not where the problem lies. Any suggestions?
|
|
#4
January 9th, 2007, 05:44 PM
|
||||
|
||||
|
it's sounds like an issue of SQL Injection. run a google search on that and read some info.
__________________
Come JOIN the party!!! Quote of the Month: Pretension: The downside of being better than everyone else is that people tend to assume you're pretentious. Questions to Ponder: You can be overwhelmed and underwhelmed, but why can't you be simply whelmed? iif([sarcasm]=true,iif([you have to ask]=true,"didn't work","ha ha ha"),"not sarcasm") copyright© 2008 sbenj69
|
|
#6
January 10th, 2007, 06:28 AM
|
|||
|
|||
|
The dreamweaver login scripts are light on validation, but they include some sql injection prevention code, well at least a replace for single quotes which is a big issue.
Is your login checking against text fields? If so the replace should be proficient against sql injections. If there is a number field check then you may want to add some validation
__________________
CyberTechHelp
|
|
| Viewing: ASP Free Forums > System Administration > Windows Security > Help with ASP and SQL security. |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
