How do I prevent hackers from changing data in a field of SQL2000 database?

Discussion in 'Databases' started by steldingc, Feb 21, 2007.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. steldingc

    steldingc

    Recently hackers changed all of theSQL2000data ina field. How can I prevent this? I requested information from aspdiscount.net and it was suggested that I contact this forum.

    Here is the problem which aspdiscount.net reported:

    "Your asp pages has application faults which allowed SQL injections to modify your SQL server database field. The field in question is.... in the '....'. That's where you will see the meta refresh information. Below is the log from your website which shows the hack. You will need to fix your ASP codes to prevent future hacks of this sort." - DiscountASP.NET

    Does anyone have a code using classic ASP which will prevent SQL injections?
     
    steldingc, Feb 21, 2007
    #1
  2. joelnet

    joelnet

    Here's an example of sql injection.

    Lets say you have a page that queries the database and takes a parameter like

    http://www.google.com/search?q=%s

    %s would be the variable on the querystring.

    your code looks like this...

    string query = Request.QueryString["s"];

    SqlCommand command = new SqlCommand("SELECT * FROM customers WHERE name = '" + query + "');


    Seems simple enough, however if someone uses the follow query string...

    <a target="_blank" href="http://www.google.com/search?q=';DROP+TABLE+customers">http://www.google.com/search?q=';DROP+TABLE+customers</A>--

    your query will execute as such...

    SELECT * FROM customers WHERE name = '';DROP TABLEcustomers--'

    You've just now run 2 commands. 1 to query and 1 to drop the table.

    you can "escape" each parameter like this, by replacing ' with ''

    string query = Request.QueryString["s"].Replace("'", "''");

    There is no need to escape SqlParameters, so you should also check out this article on using SqlParameters http://www.sqlservercentral.com/columnists/rVasant/workingwithsqlparameterinnet.asp

    I have also created a simple Database Utiltiy object that helps with sql commands (http://joel.net/software/databaseutility.aspx). I would also recommend using the SqlParameter with this class as well.


    hope this has been helpful.



    Joel Thoms
    DiscountASP.NET
    http://www.DiscountASP.NET
     
    joelnet, Feb 21, 2007
    #2
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page