Help SQL Injection Attack Question - newbie to web security

[Ranginald]

If you have a URL, say ../details.aspx?ID=
and the ID is generated from a master.aspx page, such as
.../details.aspx?ID=24
are you vulnerable to a SQL Injection attack?

And if so, can I "fix" the problem using a stored procedure to generate
the new URL?

Thanks in advance!
Rangy

 

[Darrel]

If you have a URL, say ../details.aspx?ID=

and the ID is generated from a master.aspx page, such as
../details.aspx?ID=24
are you vulnerable to a SQL Injection attack?

You are vulnerable if you pass user-submittable data via a plain text query.

So, if you are passing '24' as

"SELECT * FROM TABLE WHERE WHATEVER =" & request.querystring("id")

then, yes, you are open to an injection attack.

And if so, can I "fix" the problem using a stored procedure to generate
the new URL?

The fix is to use paramaterized SQL or stored procedures and pass the
variable as a SQL parameter.

-Darrel

 

[Juan T. Llibre]

Read this "Best Practices" article and adapt the advice to your code.

"How To: Protect From SQL Injection in ASP.NET" :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp

This article has good info, too :
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp

This one, too :
http://www.dotnetspider.com/kb/Article1932.aspx

 

[Ranginald]

Thanks for the quick repsonse.
What I am doing is as follows:

1. User clicks on image of a product on master page (image is
generated from database stored procedure), say product 5, passing the
value 5.

2. The URL generated is then ../details.aspx?prodID=5.

----My question is that can someone do this: http://xyz.com
.../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE

or is it safe as long as the QUERY string isn't in the URL.

----Otherwise, I'd have to generate a stored procedure that can take a
parameter, but can pass that parameter to a new page?

----BTW: this is the type of code I am using (please ignore any small
syntax errors, it's the concept I am concerned about)
<a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
"prodID")%>">
[----- line break added for clarity -----]
<img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
border="0">
</a>

Thanks,
Rangy

 

[Darrel]

----My question is that can someone do this: http://xyz.com

../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE

or is it safe as long as the QUERY string isn't in the URL.

what matters is how you are grabbing the QS and how you are passing that
along to your query.

Again, if you pass it as part of a SQL text string, yea, somone could add
the evil commands and you'd pass it along.

Again, the fix is to not do that. Instead use a Stored Procedure or
Paramaterized DWL.

----Otherwise, I'd have to generate a stored procedure that can take a
parameter, but can pass that parameter to a new page?

You pass the parameter to SQL. Either via a Stored Procedure call or
parameterized SQL.

----BTW: this is the type of code I am using (please ignore any small
syntax errors, it's the concept I am concerned about)
<a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
"prodID")%>">
[----- line break added for clarity -----]
<img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
border="0">

That doesn't tell us anything. What does your SQL code look like? What's the
function you are using to grab the SQL data?

What you are doing there is just looking for a data field with the name '5'.
I'm not sure if that's what you were intending.

-Darrel

 

[Ranginald]

Sorry for the confusion.

All I want to do is have a user select an image (generated from a
stored procedure from the database), grab the appropriate prodID
associated with that image, and then pass that prodID to the
details.aspx page, which will then pull the records associated with
that product (e.g. Description and Price as below)

Let's say for simplicity that its a database of one table, something
like this:

tblProducts
========
prodID ImageURL Description Price
1 ,,/prod1.jpg product1 $25.00
2 ../prod2.jpg product2 $30.00

etc.

A. So the image on the starting master.aspx page is from a stored
procedure and will generate the prodID associated with that image.
This part is ok (for now )

B. The user clicks on the image. On my development box I have it
where the prodID value (e.g. 2) is passed from the image and formats
the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
new window........

C. The details.aspx page takes the parameter from the URL, say "2" in
this example, and then executes a SQL Query: "SELECT prodID,
descirption, price FROM tblProducts WHERE prodID=2"

What I don't understand is how to use a SQL parameter with a stored
procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
that will know what to do with that parameter. I only know how to do
it as demonstrated in item "C" above.

How does the value you get returned from the stored procedure relate to
opening a new HTML page with that value as the basis for data
maniupulation on the new page?

Thanks for your help and patience!

 

[Darrel]

All I want to do is have a user select an image (generated from a

stored procedure from the database), grab the appropriate prodID
associated with that image, and then pass that prodID to the
details.aspx page, which will then pull the records associated with
that product (e.g. Description and Price as below)

Understood. Ignore the whole 'selecting image' issue, though. All we need to
focus on it passing the QS value to your DB.

A. So the image on the starting master.aspx page is from a stored
procedure and will generate the prodID associated with that image.
This part is ok (for now )
OK

B. The user clicks on the image. On my development box I have it
where the prodID value (e.g. 2) is passed from the image and formats
the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
new window........
OK

C. The details.aspx page takes the parameter from the URL, say "2" in
this example, and then executes a SQL Query: "SELECT prodID,
descirption, price FROM tblProducts WHERE prodID=2"

How? You have '2' hardcoded there. How are you passing the QS to that?

What I don't understand is how to use a SQL parameter with a stored
procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
that will know what to do with that parameter. I only know how to do
it as demonstrated in item "C" above.

You pass the '2' via QS to your 'details' page. When that page loads, it
grabs the QS and then passes that to the database via a stored procedure
parameter.

How does the value you get returned from the stored procedure relate to
opening a new HTML page with that value as the basis for data
maniupulation on the new page?

I'm confused. Here's how I'd outline the project:

imagelist.aspx
- queries DB
- lists all images
- creates a link for each image: details.aspx?imageID=X

detailslist.aspx
- onload, grabs the QS value (X)
- passes X to the DB via a stored procedure
- renders returned data to the screen.

-Darrel

 

[Ranginald]

Sorry. The prodID=2 was just an example. It's dynamic.

I have a DataRepeater/StoredProcedure that pulls records from another
table. The databinding is such that the image is displayed, but prodID
(e.g. 1,2,3,4,5, etc.) passes the parameter to details.aspx.

So I already have the situation where I am at details.aspx?imageID=X

What I don't know how to do is use this details.aspx?imageID=X with a
stored procedure:

< imagelist.aspx
< - queries DB
< - lists all images
< - creates a link for each image: details.aspx?imageID=X

ok so far.

<detailslist.aspx
< - onload, grabs the QS value (X)

How does it grab the QS value (x)? (e.g how does imageslist.aspx
communicate with detaillist.aspx?

I thought the whole point was not to use a detailslist.aspx?imageID=X
format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
CODE HERE

< passes X to the DB via a stored procedure

So am I correct in understanding that the stored procedure then is
called only on the detailslist.aspx page?

< renders returned data to the screen.
And then just databind like you would for "any old" stored procedure?

My continued thanks.......
Rangy

 

[Darrel]

What I don't know how to do is use this details.aspx?imageID=X with a

stored procedure:

How does it grab the QS value (x)? (e.g how does imageslist.aspx
communicate with detaillist.aspx?

They don't communicate at all. All imagelist does is pass a variable via the
querystring. Just as you've done.

Then on detailslist.aspx, you grab it:

dim imageID as integer
imageID = ctype(request.querystring("imageID"), integer)

then, later in your page when you are querying the DB, just pass 'imageID'
as a parameter.

When you pass it as a parameter, SQL will know NOT to execute any commands
in it. So even if a person did pass some nasty command in the QS, SQL won't
do anything but error out the query.

I thought the whole point was not to use a detailslist.aspx?imageID=X
format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
CODE HERE

A querystring doesn't *do* anything. It just sits there.

The issue is you taking it and passing it to the db. You want to make sure
what you pass isn't read by the DB as a command...just a parameter.

< passes X to the DB via a stored procedure

So am I correct in understanding that the stored procedure then is
called only on the detailslist.aspx page?

I really don't know what you are doing from an application standpoint. I
just assumed one page had a list of images and if you click on it, you want
to go to another page and show details about a record in the DB.

< renders returned data to the screen.
And then just databind like you would for "any old" stored procedure?

Yep. Exactly.

-Darrel

 

[Ranginald]

Thanks a million! Now I get it!

-Rangy

 

[Ranginald]

One more thing...

I just want to make sure I have this correct:

1. A link on page master.aspx is clicked and a parameter, X, is
passed to the URL creating: www.abc123.com/details.aspx?whateverID=X.

2. The "receiving" page, details.aspx, then take the value of X and
runs a stored procedure on this value, X, INSTEAD of running a SQL
query.

3. The benefit of this is that the stored procedure is designed to
accept X as, say, an integer from 1-100 only. So if someone did this:

www.abc123.com/details.aspx?whateverID=X; appended malicious code

then the stored procedure would fail because X would not be a valid
parameter being passed to the stored procedure.

E.g. So the ....aspx?whateverID=X is "safe" as long as there is a
validated parameter being passed to a stored procedure.

Thanks again!