Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Help SQL Injection Attack Question - newbie to web security

Reply
Thread Tools

Help SQL Injection Attack Question - newbie to web security

 
 
Ranginald
Guest
Posts: n/a
 
      04-24-2006
If you have a URL, say ../details.aspx?ID=
and the ID is generated from a master.aspx page, such as
.../details.aspx?ID=24
are you vulnerable to a SQL Injection attack?

And if so, can I "fix" the problem using a stored procedure to generate
the new URL?

Thanks in advance!
Rangy

 
Reply With Quote
 
 
 
 
Darrel
Guest
Posts: n/a
 
      04-24-2006
> If you have a URL, say ../details.aspx?ID=
> and the ID is generated from a master.aspx page, such as
> ../details.aspx?ID=24
> are you vulnerable to a SQL Injection attack?


You are vulnerable if you pass user-submittable data via a plain text query.

So, if you are passing '24' as

"SELECT * FROM TABLE WHERE WHATEVER =" & request.querystring("id")

then, yes, you are open to an injection attack.

> And if so, can I "fix" the problem using a stored procedure to generate
> the new URL?


The fix is to use paramaterized SQL or stored procedures and pass the
variable as a SQL parameter.

-Darrel


 
Reply With Quote
 
 
 
 
Juan T. Llibre
Guest
Posts: n/a
 
      04-24-2006
Read this "Best Practices" article and adapt the advice to your code.

"How To: Protect From SQL Injection in ASP.NET" :
http://msdn.microsoft.com/library/de...aght000002.asp

This article has good info, too :
http://www.codeproject.com/cs/databa...ionAttacks.asp

This one, too :
http://www.dotnetspider.com/kb/Article1932.aspx





Juan T. Llibre, asp.net MVP
aspnetfaq.com : http://www.aspnetfaq.com/
asp.net faq : http://asp.net.do/faq/
foros de asp.net, en espaņol : http://asp.net.do/foros/
===================================
"Ranginald" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> If you have a URL, say ../details.aspx?ID=
> and the ID is generated from a master.aspx page, such as
> ../details.aspx?ID=24
> are you vulnerable to a SQL Injection attack?
>
> And if so, can I "fix" the problem using a stored procedure to generate
> the new URL?
>
> Thanks in advance!
> Rangy
>



 
Reply With Quote
 
Ranginald
Guest
Posts: n/a
 
      04-25-2006
Thanks for the quick repsonse.
What I am doing is as follows:

1. User clicks on image of a product on master page (image is
generated from database stored procedure), say product 5, passing the
value 5.

2. The URL generated is then ../details.aspx?prodID=5.

----My question is that can someone do this: http://xyz.com
.../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE

or is it safe as long as the QUERY string isn't in the URL.

----Otherwise, I'd have to generate a stored procedure that can take a
parameter, but can pass that parameter to a new page?

----BTW: this is the type of code I am using (please ignore any small
syntax errors, it's the concept I am concerned about)
<a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
"prodID")%>">
[----- line break added for clarity -----]
<img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
border="0">
</a>

Thanks,
Rangy

 
Reply With Quote
 
Darrel
Guest
Posts: n/a
 
      04-25-2006
> ----My question is that can someone do this: http://xyz.com
> ../details.aspx?prodID=5; INSERT AND EXECUTE EVIL SQL COMMANDS HERE
>
> or is it safe as long as the QUERY string isn't in the URL.


what matters is how you are grabbing the QS and how you are passing that
along to your query.

Again, if you pass it as part of a SQL text string, yea, somone could add
the evil commands and you'd pass it along.

Again, the fix is to not do that. Instead use a Stored Procedure or
Paramaterized DWL.

> ----Otherwise, I'd have to generate a stored procedure that can take a
> parameter, but can pass that parameter to a new page?


You pass the parameter to SQL. Either via a Stored Procedure call or
parameterized SQL.

> ----BTW: this is the type of code I am using (please ignore any small
> syntax errors, it's the concept I am concerned about)
> <a href="detail.aspx?prodID=<%# DataBinder.Eval(Container.DataItem,
> "prodID")%>">
> [----- line break added for clarity -----]
> <img src="<%# DataBinder.Eval(Container.DataItem,"prodID")%>"
> border="0">


That doesn't tell us anything. What does your SQL code look like? What's the
function you are using to grab the SQL data?

What you are doing there is just looking for a data field with the name '5'.
I'm not sure if that's what you were intending.

-Darrel


 
Reply With Quote
 
Ranginald
Guest
Posts: n/a
 
      04-25-2006
Sorry for the confusion.

All I want to do is have a user select an image (generated from a
stored procedure from the database), grab the appropriate prodID
associated with that image, and then pass that prodID to the
details.aspx page, which will then pull the records associated with
that product (e.g. Description and Price as below)

Let's say for simplicity that its a database of one table, something
like this:

tblProducts
========
prodID ImageURL Description Price
1 ,,/prod1.jpg product1 $25.00
2 ../prod2.jpg product2 $30.00

etc.

A. So the image on the starting master.aspx page is from a stored
procedure and will generate the prodID associated with that image.
This part is ok (for now )

B. The user clicks on the image. On my development box I have it
where the prodID value (e.g. 2) is passed from the image and formats
the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
new window........

C. The details.aspx page takes the parameter from the URL, say "2" in
this example, and then executes a SQL Query: "SELECT prodID,
descirption, price FROM tblProducts WHERE prodID=2"

What I don't understand is how to use a SQL parameter with a stored
procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
that will know what to do with that parameter. I only know how to do
it as demonstrated in item "C" above.

How does the value you get returned from the stored procedure relate to
opening a new HTML page with that value as the basis for data
maniupulation on the new page?

Thanks for your help and patience!

 
Reply With Quote
 
Darrel
Guest
Posts: n/a
 
      04-25-2006
> All I want to do is have a user select an image (generated from a
> stored procedure from the database), grab the appropriate prodID
> associated with that image, and then pass that prodID to the
> details.aspx page, which will then pull the records associated with
> that product (e.g. Description and Price as below)


Understood. Ignore the whole 'selecting image' issue, though. All we need to
focus on it passing the QS value to your DB.

> A. So the image on the starting master.aspx page is from a stored
> procedure and will generate the prodID associated with that image.
> This part is ok (for now )


OK

> B. The user clicks on the image. On my development box I have it
> where the prodID value (e.g. 2) is passed from the image and formats
> the details.aspx URL as ..http://..../details.aspx?prodID=2 and opens a
> new window........


OK

> C. The details.aspx page takes the parameter from the URL, say "2" in
> this example, and then executes a SQL Query: "SELECT prodID,
> descirption, price FROM tblProducts WHERE prodID=2"


How? You have '2' hardcoded there. How are you passing the QS to that?

> What I don't understand is how to use a SQL parameter with a stored
> procedure to pass a value, (e.g prodID=2 or "2") to a new HTML page
> that will know what to do with that parameter. I only know how to do
> it as demonstrated in item "C" above.


You pass the '2' via QS to your 'details' page. When that page loads, it
grabs the QS and then passes that to the database via a stored procedure
parameter.

> How does the value you get returned from the stored procedure relate to
> opening a new HTML page with that value as the basis for data
> maniupulation on the new page?


I'm confused. Here's how I'd outline the project:

imagelist.aspx
- queries DB
- lists all images
- creates a link for each image: details.aspx?imageID=X

detailslist.aspx
- onload, grabs the QS value (X)
- passes X to the DB via a stored procedure
- renders returned data to the screen.

-Darrel


 
Reply With Quote
 
Ranginald
Guest
Posts: n/a
 
      04-25-2006
Sorry. The prodID=2 was just an example. It's dynamic.

I have a DataRepeater/StoredProcedure that pulls records from another
table. The databinding is such that the image is displayed, but prodID
(e.g. 1,2,3,4,5, etc.) passes the parameter to details.aspx.

So I already have the situation where I am at details.aspx?imageID=X

What I don't know how to do is use this details.aspx?imageID=X with a
stored procedure:

< imagelist.aspx
< - queries DB
< - lists all images
< - creates a link for each image: details.aspx?imageID=X

ok so far.

<detailslist.aspx
< - onload, grabs the QS value (X)

How does it grab the QS value (x)? (e.g how does imageslist.aspx
communicate with detaillist.aspx?

I thought the whole point was not to use a detailslist.aspx?imageID=X
format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
CODE HERE

< passes X to the DB via a stored procedure

So am I correct in understanding that the stored procedure then is
called only on the detailslist.aspx page?

< renders returned data to the screen.
And then just databind like you would for "any old" stored procedure?

My continued thanks.......
Rangy

 
Reply With Quote
 
Darrel
Guest
Posts: n/a
 
      04-25-2006
> What I don't know how to do is use this details.aspx?imageID=X with a
> stored procedure:


> How does it grab the QS value (x)? (e.g how does imageslist.aspx
> communicate with detaillist.aspx?


They don't communicate at all. All imagelist does is pass a variable via the
querystring. Just as you've done.

Then on detailslist.aspx, you grab it:

dim imageID as integer
imageID = ctype(request.querystring("imageID"), integer)

then, later in your page when you are querying the DB, just pass 'imageID'
as a parameter.

When you pass it as a parameter, SQL will know NOT to execute any commands
in it. So even if a person did pass some nasty command in the QS, SQL won't
do anything but error out the query.

> I thought the whole point was not to use a detailslist.aspx?imageID=X
> format because someone could add ...?imageID=X; EXECUTE MALICIOUS SQL
> CODE HERE


A querystring doesn't *do* anything. It just sits there.

The issue is you taking it and passing it to the db. You want to make sure
what you pass isn't read by the DB as a command...just a parameter.

> < passes X to the DB via a stored procedure
>
> So am I correct in understanding that the stored procedure then is
> called only on the detailslist.aspx page?


I really don't know what you are doing from an application standpoint. I
just assumed one page had a list of images and if you click on it, you want
to go to another page and show details about a record in the DB.

> < renders returned data to the screen.
> And then just databind like you would for "any old" stored procedure?


Yep. Exactly.

-Darrel


 
Reply With Quote
 
Ranginald
Guest
Posts: n/a
 
      04-25-2006
Thanks a million! Now I get it!

-Rangy

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Injection Attack TCORDON ASP .Net 5 05-24-2005 11:20 PM
'Insurance' Code injection attack Sati ASP .Net 6 11-19-2003 02:33 PM
Insurance triggers a code injection attack Sati ASP .Net Security 1 11-18-2003 08:31 PM
'Insurance' code injection attack sati ASP .Net 1 11-18-2003 03:48 PM
Any one do a mini-few-sec digital handheld videocam for re-attack after violent road rage attack? dorothy.bradbury Digital Photography 15 07-20-2003 11:58 PM



Advertisments