K
Kevin Hill
I am seeing log entries that have SQL statements embedded in the actual
forms.
forms.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Manohar Kamath [MVP]
It is a old hack... E.g.
Let us say you have a "dynamic SQL" which goes something like
formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID
conn.Execute(sSQL)
Just imagine someone enters this: "5; DELETE FROM myTable"
the final SQL will be
SELECT * from myTable WHERE Id=5; DELETE FROM myTable
which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.
To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.
Let us say you have a "dynamic SQL" which goes something like
formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID
conn.Execute(sSQL)
Just imagine someone enters this: "5; DELETE FROM myTable"
the final SQL will be
SELECT * from myTable WHERE Id=5; DELETE FROM myTable
which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.
To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.
M
Mike D
-----Original Message-----
It is a old hack... E.g.
Let us say you have a "dynamic SQL" which goes something like
formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID
conn.Execute(sSQL)
Just imagine someone enters this: "5; DELETE FROM myTable"
the final SQL will be
SELECT * from myTable WHERE Id=5; DELETE FROM myTable
which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.
To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.
--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
.
Check this link out
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
Mike
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
Similar Threads
Forum statistics
Latest Threads
-
Can I stop HTTPS?
- Started by IBMJunkman
-
Stephanie Beaudeau Emsworth is Running a Prostitution Ring
- Started by verona
-
Reverse search for a website
- Started by DRCM
-
What are the key advantages of using a SaaS (Software as a Service) model for application development?
- Started by remotedevelopers
-
How to build a database-driven web page
- Started by av3mar1a153
-
Hola
- Started by luuciefer
-
Using a DTSX file with GoDaddy
- Started by IBMJunkman