Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP General (http://www.velocityreviews.com/forums/f65-asp-general.html)
-   -   SQL attack via IIS? (http://www.velocityreviews.com/forums/t792460-sql-attack-via-iis.html)

Kevin Hill 01-05-2004 11:44 PM

SQL attack via IIS?
 
I am seeing log entries that have SQL statements embedded in the actual
forms.



Manohar Kamath [MVP] 01-06-2004 03:44 AM

Re: SQL attack via IIS?
 
It is a old hack... E.g.

Let us say you have a "dynamic SQL" which goes something like

formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID

conn.Execute(sSQL)

Just imagine someone enters this: "5; DELETE FROM myTable"

the final SQL will be

SELECT * from myTable WHERE Id=5; DELETE FROM myTable

which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.

To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com


"Kevin Hill" <nospam@nospam.com> wrote in message
news:IFmKb.28029$i55.13481@fed1read06...
> I am seeing log entries that have SQL statements embedded in the actual
> forms.
>
>




Mike D 01-06-2004 01:28 PM

Re: SQL attack via IIS?
 

>-----Original Message-----
>It is a old hack... E.g.
>
>Let us say you have a "dynamic SQL" which goes something

like
>
>formID = Request.Form("ID")
>sSQL = "SELECT * from myTable WHERE Id=" & formID
>
>conn.Execute(sSQL)
>
>Just imagine someone enters this: "5; DELETE FROM myTable"
>
>the final SQL will be
>
>SELECT * from myTable WHERE Id=5; DELETE FROM myTable
>
>which is a valid SQL statement. The user should still

need to know the table
>names, but it is possible that the hacker might be able

to delete system
>tables.
>
>To get around this, use stored procedures when possible,

with parameters. At
>the least, validate the input. Hope that helps.
>
>--
>Manohar Kamath
>Editor, .netBooks
>www.dotnetbooks.com
>
>
>"Kevin Hill" <nospam@nospam.com> wrote in message
>news:IFmKb.28029$i55.13481@fed1read06...
>> I am seeing log entries that have SQL statements

embedded in the actual
>> forms.
>>
>>

>
>
>.
>


Check this link out
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

Mike


All times are GMT. The time now is 05:13 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.