Thread: SQL Injection

    #1
  1. Moderator
    ASP Super Hero (2500 - 2999 posts)

    Join Date
    Dec 2006
    Location
    West London, UK
    Posts
    2,715
    Rep Power
    935

    SQL Injection


    Hi All

    I have just noticed someone trying to attack my database using SQL Injection. I have protected my forms from attack but they are using page URLs directly.

    The attack takes the form of...

    news.asp?newsID=446%20%20and%20exists%20(select%20 *%20from%20sysobjects)%20--

    news.asp?newsID=446;declare%20@a%20int--

    What is the best way to stop this kind of attack, I have blocked the IP the hacker was using but no doubt they will return with another IP at some stage.

    The proper URL would be

    news.asp?newsID=446

    or any number, how can i strip anything after the number, i thought of looking for the occurrence of the ; and % symbols with instr but there are probably lots of other things i would need to search for.

    Is there a way to just eliminate anything other than the number at the beginning which could be anything from a single digit to 4 or 5 digits eventually.
    Hope this advice helps.

    If so please show your appreciation by adding reputation points (click the Give Rep button on the bottom bar of the post).

    - Post your code - Post your errors - Be clear - Be courteous -

    AND PLEASE...Finalise your thread with a solution or confirmation that the last advice worked or failed.

    Visit My ASP Free Members Club Profile
  2. #2
  3. Contributing User
    ASP High Scholar (3500 - 3999 posts)

    Join Date
    Jul 2005
    Location
    Oxford UK
    Posts
    3,897
    Rep Power
    992
    hi
    i think u can Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring.
    Nothing is Impossible bcoz IMPOSSIBLE itself says..
    I M POSSIBLE........................
    Be cool !!!!!!!!
  4. #3
  5. Contributing User
    ASP High Scholar (3500 - 3999 posts)

    Join Date
    Jul 2005
    Location
    Oxford UK
    Posts
    3,897
    Rep Power
    992
    or your next page u can do like this
    Code:
    CLng(Request("newsID"))
    If the user tries to pass in a string, the CLng function will generate an error.

    hope it make some sense.
  6. #4
  7. No Profile Picture
    Moderator
    ASP Mastermind (5000+ posts)

    Join Date
    Feb 2004
    Location
    Reston, VA
    Posts
    13,248
    Rep Power
    1910
    If expecting only a number in the querystring, I would just use the IsNumeric function which returns a boolean value if the item is numeric or not. If it is, proceed, else do not proceed:

    Code:
    If IsNumeric(Request.Querystring("newsID")) Then
        'Proceed
    Else
        'Give error stating it's not a valid News ID or whatever
    End If

    Comments on this post

    • BLarche agrees
    jmurrayhead
  8. #5
  9. No Profile Picture
    Contributing User
    ASP Discoverer (100 - 499 posts)

    Join Date
    Jun 2008
    Posts
    284
    Rep Power
    93
    Use the command object and parameters so your SQL isn't built dynamically.

    Code:
    ...
    
    strSQL = "SELECT * FROM table WHERE field = ? AND field2 = ? "
    
    
    objCommand.CommandText = strSQL
    objCommand.Parameters(0).value = strYourParam
    objCommand.Parameters(1).value = strYourParam2
    
    ...
    Search for advanced_sql_injection.pdf and read NGS software's white paper.

    Do a replace on single quotations (although as the above white paper describes this does not necessarily protect you)
  10. #6
  11. No Profile Picture
    Contributing User
    ASP High Scholar (3500 - 3999 posts)

    Join Date
    Jan 2007
    Location
    Indianapolis, USA
    Posts
    3,559
    Rep Power
    701
    Use JMH's post above. That is your quickest fix.

    Remember, when trying to stop SQL injection, always think about what values and value types are allowed for certain criteria. If you are expecting a number, check for IsNumeric(). Replace all single quotes with double quotes in your strings. These are the two simplest ways to stop SQL injection.
    "You'll never be as perfect as BLaaaaaaaaarche."
  12. #7
  13. Moderator
    ASP Super Hero (2500 - 2999 posts)

    Join Date
    Dec 2006
    Location
    West London, UK
    Posts
    2,715
    Rep Power
    935
    Thanks all for the replies.

    I have implemented JMH's solution as an immediate fix and i will be looking into further options later on.

    Basically i have used JMH's suggestion and i define two SQL stings, the correct one if the isnumeric returns true and a static SQL statement that i know will return no results if the isnumeric is false.

    That way it hasn't affected the way the rest of the page works, it just displays a message saying no such item found.

    Just need to find any other pages where they could try a similar attack.

    Thanks again for the help.

    Regards
    Ian

Similar Threads

  1. Executing SQL
    By erickh in forum ASP Development
    Replies: 5
    Last Post: March 31st, 2006, 04:39 AM
  2. Sql to Asp Problem.
    By jheinzman in forum Programming Help
    Replies: 3
    Last Post: March 15th, 2005, 11:32 AM
  3. query AND/OR for textboxes
    By gilgalbiblewhee in forum ASP Development
    Replies: 1
    Last Post: February 4th, 2005, 07:39 PM
  4. Why does the SQL show error?
    By gilgalbiblewhee in forum ASP Development
    Replies: 3
    Last Post: October 14th, 2004, 11:10 PM
  5. search help
    By dev5 in forum ASP Development
    Replies: 18
    Last Post: March 5th, 2004, 11:07 AM

IMN logo majestic logo threadwatch logo seochat tools logo