Query string variables security risk

[Thirsty Traveler]

I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?

 

[David Hogue]

I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?

I don't think query string is necessarily a security risk on its own.
Form fields are going to be vulnerable to the same kind of brute forcing
as the query string.

One thing that makes the the query string a little less secure is that
browsers will store it in their history. Don't use the query string for
usernames and passwords.

The query string isn't a good place to store variables. If you can
store data in the session or viewstate that would be a much better location.

And, in general, never trust anything from the browser.

-David
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

 

[KBuser]

I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?

Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright. Like the guy above me said, just don't use
query strings for sensitive data.

 

[Thirsty Traveler]

We use stored procedures extensively. I am being told that any query string
variables have the potential to break a site and cause server errors.

 

[KBuser]

Again, it depends on what data your query strings represent, but if you
look around at various websites, amazon for instance, there are many
different sites which use query strings.

As far as breaking a site goes, if the use of a query string 'causes
your site to go down for any period of time, you've probably done
something horribly wrong.

What are you going to be using these strings for?

 

[Joerg Jooss]

Thus wrote KBuser,

Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.

[...]

That has nothing to do with Stored Procedures.

You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.

Cheers,

 

[KBuser]

Right, I mentioned using stored procedures for the simple reason of
parameters. While I'm aware you can use params without stored_procs, if
my understanding is correct, SPs are less vulnerable to injection
attacks, and other such security risks.

Thus wrote KBuser,

Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.

[...]

That has nothing to do with Stored Procedures.

You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.

Cheers,

 

[Chris Fulstow]

You can't really trust any data that comes from an external source, and
that includes data submitted on the querystring of posted in a form.
Both are easy to spoof. It's fine to use the querystring, but make
sure you check and validate the data before using it, and make sure
unexpected values won't break your application, or worse, cause a
security problem.

A common example of the problem with this is the SQL inject attack.
For example, consider:

string sql = "SELECT * FROM people WHERE name='" +
Request.QueryString["name"] + "'";

What is the value of your name parameter is "; DELETE from people;"?
Then the user has just deleted all the data from your people table.

HTH,

Chris