tags:

views:

736

answers:

5
+5  Q: 

Classic ASP SQL Injection

I recently inherited a classic asp website with a ton of inline SQL insert statements that are vulnerable to SQL injection attacks.

These insert statements are executed via the ADO command object.

Will setting the ADO Command Object's Prepared property to true ensure that the query is parameterized before execution, thus mitigating the risk of SQL injection?

+5  A: 

No, if you build a SQL string with values that you get directly from "outside", then a "prepared statement" will not help you.

a 

sSQL = "SELECT * from mytable where mycolumn = '" + querystring("value") + "'"

is still asking for trouble. The only way to solve this is by using parameters in your query.

Hans Kesting  2009-10-06 07:40:48
+5  A: 

This Link should prove useful.

Classic ASP SQL Injection Protection

kevchadders  2009-10-06 08:11:04
A: 

what i would suggest you do is write a function to sanitize the user input then run all the request variables through that. when i wrote mine i did stuff like escape single quotes, remove ; and other special characters and make sure that you couldn't -- (comment) out the end of the statement. most sql injection would try something like ' or 1=1 or a=' so sql code would be 

SELECT * from mytable where mycolumn = '' or 1=1 or a=''

so escaping single quotes is the real big one you need to worry about

Carter Cole  2009-10-23 16:16:00
A lot of people fall into that trap. Creating functions makes the code less readable, and is not future proof. I have no way of tracking sdown all the classic ASP sites I built years ago, let alone updating a function they may or may not be using. ADO Parameters or paramterised stored procedures are the way to go.
MikeB  2009-10-24 09:28:48
i agree parameters are best practice but if your trying to clean up a bunch of code real fast then wrapping all the user inputs in a function is easier
Carter Cole  2009-10-26 04:23:13
I don't think it takes that long to add a bunch of `oCmd.Parameters.Append oCmd.CreateParameter(...)` statements to your code, and honestly in situations like this I think you are better off focusing on quality rather than speed, particularly if you don't have time to do the work twice.
Dave DuPlantis  2009-10-30 16:01:26
A: 

You can also look at an asp classic open source project called 'Owasp stinger'. That not only helps with Sql injection, but header injection and lots of other security issues common to all web apps.

http://www.owasp.org/index.php/Classic%5FASP%5FSecurity%5FProject

 2009-11-17 20:05:30
A: 

Here's another good link and example.

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

In the past we just created a couple functions to handle any outside input for SQL injections and XSS. Then slowly we converted all the inline SQL to stored procedures.

Jason Too Cool Webs  2010-01-14 16:56:02

related questions

Is there a way to clear a user's brower of my page, or say not to use cache?
Displaying the current authenticated Sharepoint user from an asp.net Page Viewer Web Part
Tools for converting from ASP to ASP.NET?
XML based website - how to create?
IIS ASP Caching
"Expires" in http header for static content? how-to
Asp XML Parsing
Checking if another web server is listening from asp
Membership bulk email software
Customizing Search Results Display in Sharepoint Services 3.0 Wiki
What to put in a session variable
Looking for ways to automate web site testing
python cgi on IIS
asp consuming a web service, what do do with recordset object ?
Asp.net path compaction
How to compress JPEG images with ASP on Windows CE
Best practices for refactoring classic ASP?
What's the best way to manage a classic asp front-end using Visual Studio 2008?
IIS 6/COM+ hangs
Printers not available unless shared.
Calling REST web services from a classic asp page
Creating iCal Files in c#
Best references for secure coding practices in ASP.NET and classic ASP.
LinqDataSource - Can you limit the amount of records returned?
ASP, need to use SFTP