Help SQL Injection Attack Question - newbie to web security

Discussion in 'ASP .Net' started by Ranginald, Apr 25, 2006.

  1. Ranginald

    Ranginald Guest

    If you have a URL, say ../details.aspx?ID=
    and the ID is generated from a master.aspx page, such as
    .../details.aspx?ID=24
    are you vulnerable to a SQL Injection attack?

    And if so, can I "fix" the problem using a stored procedure to generate
    the new URL?

    Thanks in advance!
    Rangy
    Ranginald, Apr 25, 2006
    #1
    1. Advertising

  2. Ranginald

    Darrel Guest

    > If you have a URL, say ../details.aspx?ID=
    > and the ID is generated from a master.aspx page, such as
    > ../details.aspx?ID=24
    > are you vulnerable to a SQL Injection attack?


    You are vulnerable if you pass user-submittable data via a plain text query.

    So, if you are passing '24' as

    "SELECT * FROM TABLE WHERE WHATEVER =" & request.querystring("id")

    then, yes, you are open to an injection attack.

    > And if so, can I "fix" the problem using a stored procedure to generate
    > the new URL?


    The fix is to use paramaterized SQL or stored procedures and pass the
    variable as a SQL parameter.

    -Darrel
    Darrel, Apr 25, 2006
    #2
    1. Advertising

  3. Read this "Best Practices" article and adapt the advice to your code.

    "How To: Protect From SQL Injection in ASP.NET" :
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp

    This article has good info, too :
    http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp

    This one, too :
    http://www.dotnetspider.com/kb/Article1932.aspx





    Juan T. Llibre, asp.net MVP
    aspnetfaq.com : http://www.aspnetfaq.com/
    asp.net faq : http://asp.net.do/faq/
    foros de asp.net, en espaƱol : http://asp.net.do/foros/
    ===================================
    "Ranginald" <> wrote in message
    news:...
    > If you have a URL, say ../details.aspx?ID=
    > and the ID is generated from a master.aspx page, such as
    > ../details.aspx?ID=24
    > are you vulnerable to a SQL Injection attack?
    >
    > And if so, can I "fix" the problem using a stored procedure to generate
    > the new URL?
    >
    > Thanks in advance!
    > Rangy
    >
    Juan T. Llibre, Apr 25, 2006
    #3
  4. Ranginald

    Ranginald Guest

    Thanks for the quick repsonse.
    What I am doing is as follows:

    1. User clicks on image of a product on master page (image is
    generated from database stored procedure), say product 5, passing the
    value 5.

    2. The URL generated is then ../details.aspx?prodID=5.

    ----My question is that can someone do this: http://xyz.com
    .../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE

    or is it safe as long as the QUERY string isn't in the URL.

    ----Otherwise, I'd have to generate a stored procedure that can take a
    parameter, but can pass that parameter to a new page?

    ----BTW: this is the type of code I am using (please ignore any small
    syntax errors, it's the concept I am concerned about)
    <a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
    "prodID")%>">
    [----- line break added for clarity -----]
    <img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
    border="0">
    </a>

    Thanks,
    Rangy
    Ranginald, Apr 25, 2006
    #4
  5. Ranginald

    Darrel Guest

    > ----My question is that can someone do this: http://xyz.com
    > ../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE
    >
    > or is it safe as long as the QUERY string isn't in the URL.


    what matters is how you are grabbing the QS and how you are passing that
    along to your query.

    Again, if you pass it as part of a SQL text string, yea, somone could add
    the evil commands and you'd pass it along.

    Again, the fix is to not do that. Instead use a Stored Procedure or
    Paramaterized DWL.

    > ----Otherwise, I'd have to generate a stored procedure that can take a
    > parameter, but can pass that parameter to a new page?


    You pass the parameter to SQL. Either via a Stored Procedure call or
    parameterized SQL.

    > ----BTW: this is the type of code I am using (please ignore any small
    > syntax errors, it's the concept I am concerned about)
    > <a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
    > "prodID")%>">
    > [----- line break added for clarity -----]
    > <img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
    > border="0">


    That doesn't tell us anything. What does your SQL code look like? What's the
    function you are using to grab the SQL data?

    What you are doing there is just looking for a data field with the name '5'.
    I'm not sure if that's what you were intending.

    -Darrel
    Darrel, Apr 25, 2006
    #5
  6. Ranginald

    Ranginald Guest

    Sorry for the confusion.

    All I want to do is have a user select an image (generated from a
    stored procedure from the database), grab the appropriate prodID
    associated with that image, and then pass that prodID to the
    details.aspx page, which will then pull the records associated with
    that product (e.g. Description and Price as below)

    Let's say for simplicity that its a database of one table, something
    like this:

    tblProducts
    ========
    prodID ImageURL Description Price
    1 ,,/prod1.jpg product1 $25.00
    2 ../prod2.jpg product2 $30.00

    etc.

    A. So the image on the starting master.aspx page is from a stored
    procedure and will generate the prodID associated with that image.
    This part is ok (for now ;) )

    B. The user clicks on the image. On my development box I have it
    where the prodID value (e.g. 2) is passed from the image and formats
    the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
    new window........

    C. The details.aspx page takes the parameter from the URL, say "2" in
    this example, and then executes a SQL Query: "SELECT prodID,
    descirption, price FROM tblProducts WHERE prodID=2"

    What I don't understand is how to use a SQL parameter with a stored
    procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
    that will know what to do with that parameter. I only know how to do
    it as demonstrated in item "C" above.

    How does the value you get returned from the stored procedure relate to
    opening a new HTML page with that value as the basis for data
    maniupulation on the new page?

    Thanks for your help and patience!
    Ranginald, Apr 25, 2006
    #6
  7. Ranginald

    Darrel Guest

    > All I want to do is have a user select an image (generated from a
    > stored procedure from the database), grab the appropriate prodID
    > associated with that image, and then pass that prodID to the
    > details.aspx page, which will then pull the records associated with
    > that product (e.g. Description and Price as below)


    Understood. Ignore the whole 'selecting image' issue, though. All we need to
    focus on it passing the QS value to your DB.

    > A. So the image on the starting master.aspx page is from a stored
    > procedure and will generate the prodID associated with that image.
    > This part is ok (for now ;) )


    OK

    > B. The user clicks on the image. On my development box I have it
    > where the prodID value (e.g. 2) is passed from the image and formats
    > the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
    > new window........


    OK

    > C. The details.aspx page takes the parameter from the URL, say "2" in
    > this example, and then executes a SQL Query: "SELECT prodID,
    > descirption, price FROM tblProducts WHERE prodID=2"


    How? You have '2' hardcoded there. How are you passing the QS to that?

    > What I don't understand is how to use a SQL parameter with a stored
    > procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
    > that will know what to do with that parameter. I only know how to do
    > it as demonstrated in item "C" above.


    You pass the '2' via QS to your 'details' page. When that page loads, it
    grabs the QS and then passes that to the database via a stored procedure
    parameter.

    > How does the value you get returned from the stored procedure relate to
    > opening a new HTML page with that value as the basis for data
    > maniupulation on the new page?


    I'm confused. Here's how I'd outline the project:

    imagelist.aspx
    - queries DB
    - lists all images
    - creates a link for each image: details.aspx?imageID=X

    detailslist.aspx
    - onload, grabs the QS value (X)
    - passes X to the DB via a stored procedure
    - renders returned data to the screen.

    -Darrel
    Darrel, Apr 25, 2006
    #7
  8. Ranginald

    Ranginald Guest

    Sorry. The prodID=2 was just an example. It's dynamic.

    I have a DataRepeater/StoredProcedure that pulls records from another
    table. The databinding is such that the image is displayed, but prodID
    (e.g. 1,2,3,4,5, etc.) passes the parameter to details.aspx.

    So I already have the situation where I am at details.aspx?imageID=X

    What I don't know how to do is use this details.aspx?imageID=X with a
    stored procedure:

    < imagelist.aspx
    < - queries DB
    < - lists all images
    < - creates a link for each image: details.aspx?imageID=X

    ok so far.

    <detailslist.aspx
    < - onload, grabs the QS value (X)

    How does it grab the QS value (x)? (e.g how does imageslist.aspx
    communicate with detaillist.aspx?

    I thought the whole point was not to use a detailslist.aspx?imageID=X
    format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
    CODE HERE

    < passes X to the DB via a stored procedure

    So am I correct in understanding that the stored procedure then is
    called only on the detailslist.aspx page?

    < renders returned data to the screen.
    And then just databind like you would for "any old" stored procedure?

    My continued thanks.......
    Rangy
    Ranginald, Apr 25, 2006
    #8
  9. Ranginald

    Darrel Guest

    > What I don't know how to do is use this details.aspx?imageID=X with a
    > stored procedure:


    > How does it grab the QS value (x)? (e.g how does imageslist.aspx
    > communicate with detaillist.aspx?


    They don't communicate at all. All imagelist does is pass a variable via the
    querystring. Just as you've done.

    Then on detailslist.aspx, you grab it:

    dim imageID as integer
    imageID = ctype(request.querystring("imageID"), integer)

    then, later in your page when you are querying the DB, just pass 'imageID'
    as a parameter.

    When you pass it as a parameter, SQL will know NOT to execute any commands
    in it. So even if a person did pass some nasty command in the QS, SQL won't
    do anything but error out the query.

    > I thought the whole point was not to use a detailslist.aspx?imageID=X
    > format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
    > CODE HERE


    A querystring doesn't *do* anything. It just sits there.

    The issue is you taking it and passing it to the db. You want to make sure
    what you pass isn't read by the DB as a command...just a parameter.

    > < passes X to the DB via a stored procedure
    >
    > So am I correct in understanding that the stored procedure then is
    > called only on the detailslist.aspx page?


    I really don't know what you are doing from an application standpoint. I
    just assumed one page had a list of images and if you click on it, you want
    to go to another page and show details about a record in the DB.

    > < renders returned data to the screen.
    > And then just databind like you would for "any old" stored procedure?


    Yep. Exactly.

    -Darrel
    Darrel, Apr 25, 2006
    #9
  10. Ranginald

    Ranginald Guest

    Thanks a million! Now I get it!

    -Rangy
    Ranginald, Apr 25, 2006
    #10
  11. Ranginald

    Ranginald Guest

    One more thing...

    I just want to make sure I have this correct:

    1. A link on page master.aspx is clicked and a parameter, X, is
    passed to the URL creating: www.abc123.com/details.aspx?whateverID=X.

    2. The "receiving" page, details.aspx, then take the value of X and
    runs a stored procedure on this value, X, INSTEAD of running a SQL
    query.

    3. The benefit of this is that the stored procedure is designed to
    accept X as, say, an integer from 1-100 only. So if someone did this:

    www.abc123.com/details.aspx?whateverID=X; appended malicious code

    then the stored procedure would fail because X would not be a valid
    parameter being passed to the stored procedure.

    E.g. So the ....aspx?whateverID=X is "safe" as long as there is a
    validated parameter being passed to a stored procedure.

    Thanks again!
    Ranginald, Apr 27, 2006
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sati
    Replies:
    6
    Views:
    382
    Dino Chiesa [Microsoft]
    Nov 19, 2003
  2. sati
    Replies:
    1
    Views:
    405
    Chris Jackson
    Nov 18, 2003
  3. TCORDON

    Injection Attack

    TCORDON, May 24, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    490
    Steve C. Orr [MVP, MCSD]
    May 25, 2005
  4. Sati

    Insurance triggers a code injection attack

    Sati, Nov 17, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    134
    Steve
    Nov 18, 2003
  5. Kevin Hill

    SQL attack via IIS?

    Kevin Hill, Jan 5, 2004, in forum: ASP General
    Replies:
    2
    Views:
    141
    Mike D
    Jan 6, 2004
Loading...

Share This Page