SQL injection

[MattB]

I have a name lookup form that passes the contents of two text boxes to
a sql query. I've noticed that someone can substitute % for letters and
wildcard the query. I know I could just disallow that character, but is
there a commonly accepted way to stop all of these kinds of attacks?
I see asp.net automatically disallows characters like "<>" but not %.
What else should I be on the lookout for? Thanks!

Matt

 

[=?ISO-8859-1?Q?Juan_Antonio_Tub=EDo?=]

Hello:

You need to use a 'RegularExpression' Validator Control and test for
desired disallows characters..

Best Regards,
Jatubio

MattB escribió:

 

[=?ISO-8859-1?Q?Juan_Antonio_Tub=EDo?=]

Hello:

You need to use a 'RegularExpression' Validator Control and test for
desired disallows characters..

Best Regards,
Jatubio

MattB escribió:

 

[Bruce Barker]

sql injection is when you do not handle quotes. say you wite the following

ds = db.ExecuteDataset("select * from people where name like '" + name +
"'");

then a clever user types into the name search field:

a'' delete people select ''a

this will nicely delete all you records.

-- bruce (sqlwork.com)

 

[Kevin Spencer]

Check out the following article from the .Net SDK online:

http://msdn.microsoft.com/library/d...y/en-us/vbcon/html/vbconscriptingexploits.asp

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[Steve C. Orr [MVP, MCSD]]

You should use ADO.NET parameter objects. They will protect you from SQL
Injection Attacks.

Here's more info:
http://msdn.microsoft.com/library/d...systemdatasqlclientsqlparameterclasstopic.asp

http://msdn.microsoft.com/library/d...ngparameterizedstoredprocedurevisualbasic.asp

 

[Guest]

Use parameterized queries and / or stored procedures. Also, you may want to
change the queries to check for equality rather than using like statements.
In sql 'matt' like 'mat%' evaluates to true but 'matt' = 'mat%' doesn't.

 

[MattB]

Use parameterized queries and / or stored procedures. Also, you may want to
change the queries to check for equality rather than using like statements.
In sql 'matt' like 'mat%' evaluates to true but 'matt' = 'mat%' doesn't.

Thanks everyone. Unfortunately the queries get constructed in a separate
layer by a COM object and I'm just calling that object. As a solution,
I'm filtering out any input other than what is needed for that
particular field, which for the name example is the alphabet and the
single quote (which gets replaced with two single quotes to accommodate
names like O'Brien).

Matt

 

[Brock Allen]

Part of building a secure system is to know at what levels in you application
the user input data has been scrubbed. From then on in the application the
data can be assumed to be clean. You need to coordinate this with the devs
of the COM+ components.

 

[Mark Rae]

Thanks everyone. Unfortunately the queries get constructed in a separate
layer by a COM object and I'm just calling that object. As a solution, I'm
filtering out any input other than what is needed for that particular
field, which for the name example is the alphabet and the single quote
(which gets replaced with two single quotes to accommodate names like
O'Brien).

Careful - there are people who have "double-barreled" names e.g.
Smithers-Jones, so you'd need to allow the hyphen character too. If you do
this, MAKE ABSOLUTELY CERTAIN you disallow a repeated hyphen i.e. -- as this
is a classic SQL injection trick because it's the T-SQL line comment
identifier and will cause SQL to ignore anything which follows it.

 

[Peter Blum]

FYI: I have built a commercial ASP.NET solution to address SQL Injection and
Cross-site-scripting attacks: Visual Input Security
(http://www.peterblum.com/vise/home.aspx). It gives you validators with
powerful algorithms that can detect SQL inside of English text so that you
can avoid removing characters that users should be allowed to type into your
textbox.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx