tags:

views:

67

answers:

3
+2  Q: 

I need to parameterize against sql injection in asp classic, what things should I take some time to get to know before I start making changes? (coming from php)

I can already see that I'm not going to enjoy the experience, but I have to do some sql cleanup on this 1000 file asp classic web-app without any prior knowledge of asp, and before I get to hacking away at it I'd like to be aware of any major gotchas to watch out for while coding in asp classic/sql parameter preparing/making asp whitespace modifications. What are some good quick overview resources, and what should I watch out for?

Links to web resources welcomed.

+3  A: 

Make sure you are not using string concatenation to add parameter values to a SQL query. Learn how to use ADO Command and Parameter objects. Always use placeholders in the SQL query string, and add Parameter objects to your Command to provide the value for the placeholders.

Joshua Flanagan  2010-04-27 20:04:32
+1  A: 

Agreed... Parameterized querying via place-holder and ex: SqlDb.Command.Parameters.Add() would be a big help... Don't just rely on selects, you can also have injection with insert and deletes too.

DRapp  2010-04-27 20:09:28
+1  A: 

  1. I would create a function that encapsulates all or most of data access. In previous projects, I have created a GetRecordset function that takes a SQL statement and returns a Recordset instance. In the function, I open the database, execute the query, close the database and return the recordset. This ensures that connections get closed.

  2. I would create a function for cleaning parameters to a SQL statement or even better is to use parameterized queries. In code where I did not want to rewrite queries and thus was using concatenation, the function I would use required a vbVarType parameter so that I can verify that the value passed is of the type indicated and to ensure that dates are put in the format that is not specific to the culture of the server.

  3. I would search for instances of a single quote followed by a double quote. Here you are looking for Select ... Where StringOrDateCol = '" & Request.QueryString("GodKnowsWhat") & ...

Even with all of that, you will not catch everything. For example, you would not catch Select ...Where NumericCol = " & Request.QueryString("GodKnowsWhat"). The final search might be to search on Select, Update, Insert and Delete and inspect each SQL statement to ensure it uses the function you created in #2 above.

Thomas  2010-04-27 20:20:43

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP