Need help with SQL injection proof recordset Update code

What are tags?

Hello Guest

• Login
• Register…
• Start blog

• Who, Where, When
• What can I do?
• What to Read?

• Polls
• Avatars
• Interests

• Cities and Countries
• Random blog
• Users search

• Search
• Games
• Tests
• QAIX

• Сообщества
• Talxy Chat
• Horoscope
• Online

Зарегистрируйся!

QAIX > ASP web-programming > Need help with SQL injection proof recordset Update code 30 July 2008 20:44:20

Recent blog posts:

Car web design, motorbike…
If you are looking for Car website design, Auto web design, bike web design, or anything similar our…

The Best Video Converter-a…
iOrgSoft Inc. has released the powerful Video Converter - iOrgSoft Video Converter 1.6.0, the latest…

Photo DVD Maker New Website…
AnvSoft Inc., the multimedia software developer, unveils a new website…

How to rip DVD movie, convert…
It is no doubt that PSP is an excellent game player. However, it is not playing games all the time; you…

World’s Most Unusual Christmas…
This Christmas, don’t go with that ho-hum, run-of-the-tree-farm tree your family always gets…

Facebook account cracker
facebook account cracker (50 GBP) Before you're told what this tool does, it's worth noting that…

BlackBerry Storm review…
As BlackBerry fans, you can’t miss the BlackBerry Storm. At Nov 6th, 2008, the word on the street is…

Review on Any DVD Cloner
Have you ever had a DVD Movie collection broken or lost? Have you ever wanted to backup movies but…

All recruitment agencys come…
What is RCCSS? RCCSS is a new unique peice of software which will scan millions of major sites and…

Problem when new cartridge(s)…
http://www.fdgtoner.com the munufacturer and supplier of toner cartridges and inkjet…

They have birthday today:

akram mellice

Daffy little vampire

все >>

Forums:

topic feeds

• QAIX all topics, blogs and comments

• PHP web-programming

• Perl web-programming

• ASP web-programming

• Visual Basic Programming

• .Net Development

• C/C++ Programming

• Java Programming

• Javascript web-programming

• Apache HTTP Server

• Web-design

• Web-hosting, dedicated, colocation

• HTML web-programming

• XML development

• General Web-programming

• Content Management Systems

• ColdFusion

• Search Engine Optimization

• Hardware

• Software, Computer Help

• MySQL database development

• PostgreSQL database development

• MS Access database development

• Oracle database development

• MS SQL database development

• Informix database development

• Buy / Sell

• Open discussion

• Anonymous

Discuss:

Converting number to percentage…
Hi Im Leo I want to convert a number to percentage, is there any built-in function for this? Thanks

RE: Jason Gilbert, CTO of…
I have been searching for an old friend with the same name and age - Jason Gilbert. I am upset that…

Problem with Stored Procedure
I have this in my stored procedure: @PageID INT, @VersionID INT UPDATE Pages SET…

ASP Access Recordset Paging
Hi all, I have access database file with 2 tables, the tables have the same columns but with different…

problem with javascript in asp…
Hi All, I have a neat little script that calculates price based on quantity without refreshing the…

Recent forum topics:

[JCA/JBoss] - getOutputStream()…
Hi Guru, My project was developed by using JDeveloper10g. I have deployed the EAR file to…

Problem with uploader
I'm trying to make a CGI script to upload files remotely onto my server, to get around my uni blocking…

what is the best / latest .CGI…
what is the best / latest .CGI to handle safe form parsing? Lou

neopets hacking
for all of ya'll who play neopet this is a great way to get rich quick okay see this link at the bottom…

Recent forum comments:

Moderators:

Administrator
Protorioris


Need help with SQL injection proof recordset Update code
EdG 30 July 2008 20:44:20
	Hi All, Our website (developed by a 3rd party) was recently hit by an Sql injection attack and I have been going through and hardening the code. It uses asp and talks to a sql server 2000 backend for a bunch of the page content. I have been switching over to using parameterized queries by creating Command Objects etc, and this has been straightforward for the most part, but I have a piece of code that uses a recordset Update command to take some form info and put it into the database. I am struggling to find a solution for this. The code is of the following form: Set cConn = getDatabaseConn() Set cRS = Server.CreateObject("ADODB.RecordSet") cRS.Open "PageContent",cConn,2,2 cRS.AddNew cRS("PageName") = request.form("itemName") cRS("Category") = request.form("category") cRS("Content") = Request.Form("pageBody") cRS.Update cRS.Close closeDatabaseConn(cConn) If this was a Sql statement like "Update Table Set Field = ?, where id =?", I would construct a parameterized query with a command object. Is there a way of doing this with a recordset update command? Thanks for any assistance.
		Add comment


Bob Barrows 16 July 2008 21:47:53 [ permanent link ]
	EdG wrote: Hi All, Our website (developed by a 3rd party) was recently hit by an Sql injection attack and I have been going through and hardening the code. It uses asp and talks to a sql server 2000 backend for a bunch of the page content. I have been switching over to using parameterized queries by creating Command Objects etc, and this has been straightforward for the most part, but I have a piece of code that uses a recordset Update command to take some form info and put it into the database. I am struggling to find a solution for this. The code is of the following form: Set cConn = getDatabaseConn() Set cRS = Server.CreateObject("ADODB.RecordSet") cRS.Open "PageContent",cConn,2,2 cRS.AddNew cRS("PageName") = request.form("itemName") cRS("Category") = request.form("category") cRS("Content") = Request.Form("pageBody") cRS.Update cRS.Close closeDatabaseConn(cConn) If this was a Sql statement like "Update Table Set Field = ?, where id =?", I would construct a parameterized query with a command object. Is there a way of doing this with a recordset update command? This parameterization should already be occurring behind the scenes. You can confirm by using SQL Profiler to run a trace, but I'm pretty sure that a recordset update will not be prone to sql injection. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.
		Add comment


EdG 16 July 2008 22:33:01 [ permanent link ]
	"Bob Barrows [MVP]" wrote: This parameterization should already be occurring behind the scenes. You can confirm by using SQL Profiler to run a trace, but I'm pretty sure that a recordset update will not be prone to sql injection. Thanks Bob! I didnt know that. It also explains why msscasi_asp.exe didnt flag this as a potential problem.
		Add comment


Daniel Crichton 17 July 2008 11:06:43 [ permanent link ]
	EdG wrote on Wed, 16 Jul 2008 09:40:18 -0700: Hi All, Our website (developed by a 3rd party) was recently hit by an Sql injection attack and I have been going through and hardening the code. It uses asp and talks to a sql server 2000 backend for a bunch of the page content. I have been switching over to using parameterized queries by creating Command Objects etc, and this has been straightforward for the most part, but I have a piece of code that uses a recordset Update command to take some form info and put it into the database. I am struggling to find a solution for this. The code is of the following form: Set cConn = getDatabaseConn() Set cRS = Server.CreateObject("ADODB.RecordSet") cRS.Open "PageContent",cConn,2,2 cRS.AddNew cRS("PageName") = request.form("itemName") cRS("Category") = request.form("category") cRS("Content") = Request.Form("pageBody") cRS.Update cRS.Close closeDatabaseConn(cConn) If this was a Sql statement like "Update Table Set Field = ?, where id =?", I would construct a parameterized query with a command object. Is there a way of doing this with a recordset update command? Thanks for any assistance. This is still bad as you're not validating the form values - while it's not SQL injection, you are vulnerable to Cross Site Scripting (XSS) if you later output those database fields to a browser without stripping out HTML tags; for instance, if the "pageBody" value contained an IFRAME or a SCRIPT tag that pulled malware from another site then by not checking it before it goes, or on the way out to the browser, you are leaving visitors at risk of being infected when visiting your pages. -- Dan
		Add comment


Sylvain Lafontaine 29 July 2008 22:03:02 [ permanent link ]
	As others have said, if you take a look with the SQL-Server Profiler, you will see that ADO use parameterized queries to execute these commands. Practically, the only way that you can be hurt by SQL injection attack is when you are dynamically building your one sql strings. For alphanumeric string values - that are to be enclosed between single quotes - all you have to do is to replace any enclosed single quote with two single quotes by using the replace command. Very easy to do. Of course, if you are using double quotes as the string delimiter then these are those that you must double using the replace command. The problem is with numeric values because they must not be enclosed between single quotes but the values taken from an ASP page might contain anything. The easiest way of dealing with this would be to simply parse (store) any numeric value from its string value into a variable before using it. Don't forget that values already stored in a table can still be effective in doing an injection attack; so you must always take these previous precautions when building any dynamic sql string even when dealing with values coming from a table. Finally, as another poster has suggested, you or your users might also be hit with cross scripting when dealing with HTML. The easiest way of dealing with this is to simply use the Server.HTMLencode () method with everything that you write to an HTML page. This way, whatever an hacker try to put in a page, it will always be simply displayed on the page by the browser and never get executed. -- Sylvain Lafontaine, ing. MVP - Technologies Virtual-PC E-mail: sylvain aei ca (fill the blanks, no spam please) "EdG" <EdG@discussions.microsoft.com> wrote in message news:3A4FAA01-CC02-4741-A1FA-28C1127DA47B@microsoft.com... Hi All, Our website (developed by a 3rd party) was recently hit by an Sql injection attack and I have been going through and hardening the code. It uses asp and talks to a sql server 2000 backend for a bunch of the page content. I have been switching over to using parameterized queries by creating Command Objects etc, and this has been straightforward for the most part, but I have a piece of code that uses a recordset Update command to take some form info and put it into the database. I am struggling to find a solution for this. The code is of the following form: Set cConn = getDatabaseConn() Set cRS = Server.CreateObject("ADODB.RecordSet") cRS.Open "PageContent",cConn,2,2 cRS.AddNew cRS("PageName") = request.form("itemName") cRS("Category") = request.form("category") cRS("Content") = Request.Form("pageBody") cRS.Update cRS.Close closeDatabaseConn(cConn) If this was a Sql statement like "Update Table Set Field = ?, where id =?", I would construct a parameterized query with a command object. Is there a way of doing this with a recordset update command? Thanks for any assistance.
		Add comment


Bob Barrows 30 July 2008 02:56:26 [ permanent link ]
	Sylvain Lafontaine wrote: As others have said, if you take a look with the SQL-Server Profiler, you will see that ADO use parameterized queries to execute these commands. Practically, the only way that you can be hurt by SQL injection attack is when you are dynamically building your one sql strings. For alphanumeric string values - that are to be enclosed between single quotes - all you have to do is to replace any enclosed single quote with two single quotes by using the replace command. Very easy to do. Of course, if you are using double quotes as the string delimiter then these are those that you must double using the replace command. This is not enough. There are several documented techniques for hackers to use to get around this simplistic strategy. SQL can be injected without a single quote character involved. In fact, the recent worm attack that hit so many websites in the last month used one of those techniques. If parameters are possible, forget attempting to excape strings: use parameters. If dynamic sql is necessary, validate data against a list of acceptable entries, rather than attempting to outthink the bad guys. -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
		Add comment


Sylvain Lafontaine 30 July 2008 09:28:22 [ permanent link ]
	As far as know, the recent work attack used a standard method for injecting javascript into an HTML page via an IFrame and was easily defeated with the simple use of the Server.HTMLEncode method() and to my knowledge, there is no way that the simple method of doubling all possible single quotes inside an alphanumeric value can be circumvented by the hackers; with maybe the possibility of truncation if the buffer used for the replace command is too small. (In fact, the recent work attack is not an SQL-Injection per see; it's an HTML injection attack.). Of course, we must also not forget about the possibility of numerical string values that might contains something else than a simple number but as I said, by first parsing them into a numerical variable; we get clear of this possible loophole. However, I agree with you that parameters should always be used whenever possible and that in most case, taking the decision of simply dropping anything containing binary data, escape sequences and comment characters would be wise. Some people will parse these things out; in my opinion, dropping the whole thing would be even better. Here are two more reference for the OP: http://msdn.microsoft.com/en-us/library/ms161953.aspx http://msdn.microsoft.com/en-us/library/ms998271.aspx -- Sylvain Lafontaine, ing. MVP - Technologies Virtual-PC E-mail: sylvain aei ca (fill the blanks, no spam please) "Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message news:uN$XO5c8IHA.5712@TK2MSFTNGP02.phx.gbl... Sylvain Lafontaine wrote: As others have said, if you take a look with the SQL-Server Profiler, you will see that ADO use parameterized queries to execute these commands. Practically, the only way that you can be hurt by SQL injection attack is when you are dynamically building your one sql strings. For alphanumeric string values - that are to be enclosed between single quotes - all you have to do is to replace any enclosed single quote with two single quotes by using the replace command. Very easy to do. Of course, if you are using double quotes as the string delimiter then these are those that you must double using the replace command. This is not enough. There are several documented techniques for hackers to use to get around this simplistic strategy. SQL can be injected without a single quote character involved. In fact, the recent worm attack that hit so many websites in the last month used one of those techniques. If parameters are possible, forget attempting to excape strings: use parameters. If dynamic sql is necessary, validate data against a list of acceptable entries, rather than attempting to outthink the bad guys. -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
		Add comment


Evertjan. 30 July 2008 10:49:56 [ permanent link ]
	Bob Barrows [MVP] wrote on 30 jul 2008 in microsoft.public.inetserver.asp.db: Sylvain Lafontaine wrote: As others have said, if you take a look with the SQL-Server Profiler, you will see that ADO use parameterized queries to execute these commands. Practically, the only way that you can be hurt by SQL injection attack is when you are dynamically building your one sql strings. For alphanumeric string values - that are to be enclosed between single quotes - all you have to do is to replace any enclosed single quote with two single quotes by using the replace command. Very easy to do. Of course, if you are using double quotes as the string delimiter then these are those that you must double using the replace command. This is not enough. There are several documented techniques for hackers to use to get around this simplistic strategy. SQL can be injected without a single quote character involved. In fact, the recent worm attack that hit so many websites in the last month used one of those techniques. If parameters are possible, forget attempting to excape strings: use parameters. If dynamic sql is necessary, validate data against a list of acceptable entries, rather than attempting to outthink the bad guys. As first "line" of defence, let us all change the probably still common: sql = "... WHERE id = " & request.querystring("id") to sql = "... WHERE id = " & CInt(request.querystring("id")) or even better, since it will not show the sql in the errorline,if an errorline is still shown: temp = CInt(request.querystring("id")) sql = "... WHERE id = " & temp and search our ancient, be it still in use, pages for those instances. -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress)
		Add comment


Bob Barrows 30 July 2008 14:32:43 [ permanent link ]
	Sylvain Lafontaine wrote: As far as know, the recent work attack used a standard method for injecting javascript into an HTML page via an IFrame and was easily defeated with the simple use of the Server.HTMLEncode method() No, that was the second stage of the two-stage attack; in the first stage the bot used sql injection to declare and open a cursor to update every "string" field in the database, appending its js payload to the current contents: http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
		Add comment


Sylvain Lafontaine 30 July 2008 20:33:12 [ permanent link ]
	First, thanks for the info. Second, even in this case, the sql portion of this attack would have been easily defeated by using the replace method for the embedded single quotes. -- Sylvain Lafontaine, ing. MVP - Technologies Virtual-PC E-mail: sylvain aei ca (fill the blanks, no spam please) "Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message news:%23ArDT%23i8IHA.4988@TK2MSFTNGP04.phx.gbl... Sylvain Lafontaine wrote: As far as know, the recent work attack used a standard method for injecting javascript into an HTML page via an IFrame and was easily defeated with the simple use of the Server.HTMLEncode method() No, that was the second stage of the two-stage attack; in the first stage the bot used sql injection to declare and open a cursor to update every "string" field in the database, appending its js payload to the current contents: http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
		Add comment


Daniel Crichton 30 July 2008 20:44:20 [ permanent link ]
	Notice that there are 2 versions - one that starts with a single quote, and one that does not. The latter form relied on using a numeric value that was being passed into a SQL string without validation. It was easily defeated by simply checking the value is a number before using it, or converting the querystring value to a number (eg using CInt or CLng) prior to using in dynamic SQL, but took advantage of a lot of programmers having put no validation checks into their code. While the replace with single quotes works for one version, it doesn't for the other. Dan Sylvain wrote on Wed, 30 Jul 2008 12:33:12 -0400: First, thanks for the info. Second, even in this case, the sql portion of this attack would have been easily defeated by using the replace method for the embedded single quotes. -- Sylvain Lafontaine, ing. MVP - Technologies Virtual-PC E-mail: sylvain aei ca (fill the blanks, no spam please) "Bob Barrows [MVP]" <reb01501@NOyahoo.SPAMcom> wrote in message news:%23ArDT%23i8IHA.4988@TK2MSFTNGP04.phx.gbl... Sylvain Lafontaine wrote: As far as know, the recent work attack used a standard method for injecting javascript into an HTML page via an IFrame and was easily defeated with the simple use of the Server.HTMLEncode method() No, that was the second stage of the two-stage attack; in the first stage the bot used sql injection to declare and open a cursor to update every "string" field in the database, appending its js payload to the current contents: http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql- injection-incident-part-2-meat.aspx -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"
		Add comment

QAIX > ASP web-programming > Need help with SQL injection proof recordset Update code 30 July 2008 20:44:20

	see also: AW: VB6 Problem I find some problem in MySQL (bugs) "USE" statement fails with server-side…		пройди тесты:		see also: Ckoro pjatnica 13.]:-) :-D I will always be alone... Hh, it is fast in school. I do not ...

Copyright © 2001—2008 QAIX
Idea: Miсhael Monashev
Помощь и задать вопросы можно в сообществе support.qaix.com.
Сообщения об ошибках оставляем в сообществе bugs.qaix.com.
Предложения и комментарии пишем в сообществе suggest.qaix.com.
Информация для родителей.
Write us at:

If you would like to report an abuse of our service, such as a spam message, please .




Get comments by e-mail Add to favourites

Пожалуйста, относитесь к собеседникам уважительно, не используйте нецензурные слова, не злоупотребляйте заглавными буквами, не публикуйте рекламу и объявления о купле/продаже, а также материалы нарушающие сетевой этикет или УК РФ.

Need help with SQL injection proof recordset Update code

Add new comment