SQL attack via IIS?

Discussion in 'ASP General' started by Kevin Hill, Jan 5, 2004.

  1. Kevin Hill

    Kevin Hill Guest

    I am seeing log entries that have SQL statements embedded in the actual
    forms.
     
    Kevin Hill, Jan 5, 2004
    #1
    1. Advertising

  2. It is a old hack... E.g.

    Let us say you have a "dynamic SQL" which goes something like

    formID = Request.Form("ID")
    sSQL = "SELECT * from myTable WHERE Id=" & formID

    conn.Execute(sSQL)

    Just imagine someone enters this: "5; DELETE FROM myTable"

    the final SQL will be

    SELECT * from myTable WHERE Id=5; DELETE FROM myTable

    which is a valid SQL statement. The user should still need to know the table
    names, but it is possible that the hacker might be able to delete system
    tables.

    To get around this, use stored procedures when possible, with parameters. At
    the least, validate the input. Hope that helps.

    --
    Manohar Kamath
    Editor, .netBooks
    www.dotnetbooks.com


    "Kevin Hill" <> wrote in message
    news:IFmKb.28029$i55.13481@fed1read06...
    > I am seeing log entries that have SQL statements embedded in the actual
    > forms.
    >
    >
     
    Manohar Kamath [MVP], Jan 6, 2004
    #2
    1. Advertising

  3. Kevin Hill

    Mike D Guest


    >-----Original Message-----
    >It is a old hack... E.g.
    >
    >Let us say you have a "dynamic SQL" which goes something

    like
    >
    >formID = Request.Form("ID")
    >sSQL = "SELECT * from myTable WHERE Id=" & formID
    >
    >conn.Execute(sSQL)
    >
    >Just imagine someone enters this: "5; DELETE FROM myTable"
    >
    >the final SQL will be
    >
    >SELECT * from myTable WHERE Id=5; DELETE FROM myTable
    >
    >which is a valid SQL statement. The user should still

    need to know the table
    >names, but it is possible that the hacker might be able

    to delete system
    >tables.
    >
    >To get around this, use stored procedures when possible,

    with parameters. At
    >the least, validate the input. Hope that helps.
    >
    >--
    >Manohar Kamath
    >Editor, .netBooks
    >www.dotnetbooks.com
    >
    >
    >"Kevin Hill" <> wrote in message
    >news:IFmKb.28029$i55.13481@fed1read06...
    >> I am seeing log entries that have SQL statements

    embedded in the actual
    >> forms.
    >>
    >>

    >
    >
    >.
    >


    Check this link out
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

    Mike
     
    Mike D, Jan 6, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Onur Bozkurt

    Attack a page to a mail

    Onur Bozkurt, Jun 30, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    434
    Onur Bozkurt
    Jun 30, 2003
  2. Sati
    Replies:
    6
    Views:
    394
    Dino Chiesa [Microsoft]
    Nov 19, 2003
  3. sati
    Replies:
    1
    Views:
    409
    Chris Jackson
    Nov 18, 2003
  4. TCORDON

    Injection Attack

    TCORDON, May 24, 2005, in forum: ASP .Net
    Replies:
    5
    Views:
    491
    Steve C. Orr [MVP, MCSD]
    May 25, 2005
  5. Ranginald
    Replies:
    10
    Views:
    874
    Ranginald
    Apr 27, 2006
Loading...

Share This Page