views:

277

answers:

4

I need to check all of my asp code to prevent SQL injection.

Should I check the session object, too?

How might a session be hijacked?

Thank you!!

+3  A: 

To avoid SQL injection, use parameterized queries instead of building the SQL queries by concatenating strings. Session hijacking is a completely different topic. It can be made more difficult by changing the session cookie with each request, and avoided completely by using HTTPS. A related (and bigger) problem is cross-site request forgery (look it up).

Michael Borgwardt
+3  A: 

Session can be hijacked. If I remember correctly, Classic ASP only support cookie-based session identifier. If someone were able to steal that cookie (wire-tap) then they can gain the same session as legitimate user.

Should you check Session Object too? that depends. If you can make sure that all the object stored in sessions is "safe" (input has been sanitized), then you can skip session object. If somewhere in your application you get data from unsafe source and put it in Session object, then you must check it as well.

Salamander2007
+1  A: 

Well, you only really need to secure user inputs. So the question you have to ask yourself is: "Did this data came from user input?" If so you must use sql parameters.

On a bigger scale, and considering that you have individual methods & classes to perform the data access, you should you sql parameters for every text parameter you provide to your sql. In this scenario sql parameters is not really necessary because if you receive a number as a method parameter there is no way it could have an sql injection.

However, when in doubt use sql parameters.

Sergio
+1  A: 

Session variables are stored in memory on the server. Only a cookie id is stored on the client. There is no need to worry about variables in session UNLESS they come from the client. Many times it can be easier to check all variables passed to the database for sql injection though.

Espen