Database Results Wizard Error - Security Question

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Background:

I am using Frontpage 2003 and have a form that collects user inputs to query our SQL database. Everything was working fine and then all of a sudden I kept getting the following message "Database Results Wizard Error The operation failed. If this continues, please contact your server administrator" without changing anything. I found the solution after searching the web.

Evidently, there is a problem with FrontPage 2003 files FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution was to get the same files from FrontPage 2000. Microsoft, are you listening??????

It worked, but this has raised a question about security. Am I opening myself up to any security issues (someone has mentioned sql injection attack risk) by using the Frontpage 2000 files????
 
To the best of my understanding, yes.

The ASP version of the DRW has become increasingly
troublesome when asked to do INSERT, UPDATE, and DELETE
operations. You'll probbly have greater success using the
ASP.NET version, or writing your own ASP code.

Writing your own ASP code for inserting records isn't
difficult. Try the advice at:

Saving Form Data in a Database
http://www.interlacken.com/winnt/tips/tipshow.aspx?tip=44

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------


-----Original Message-----
Background:

I am using Frontpage 2003 and have a form that collects
Click to expand...
user inputs to query our SQL database. Everything was
working fine and then all of a sudden I kept getting the
following message "Database Results Wizard Error The
operation failed. If this continues, please contact your
server administrator" without changing anything. I found
the solution after searching the web.
Evidently, there is a problem with FrontPage 2003 files
Click to expand...
FPDBRGN1.ini FPDBRGN2.ini AND FPDBLIB.ini and the solution
was to get the same files from FrontPage 2000. Microsoft,
are you listening??????
It worked, but this has raised a question about
Click to expand...
security. Am I opening myself up to any security issues
(someone has mentioned sql injection attack risk) by using
the Frontpage 2000 files????
 
Sorry, I interpreted your first message to mean you were using the DRW
to *insert* the records.

Are you using the ASP.NET version of the DRW? If so, open the
_fpclass/fpdbnet.cs file and on about line 342, change

private bool DebugOn = false;
to
private bool DebugOn = true;

This won't fix the problem, but it'll probbly get you a better error
message.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------
 
Jim,

I am not using .net but I did change the coding initially to get a more
precise error message but all the stuff on the web said that there was no fix
and only work around was to use FP2000 files as mentioned below. So do you
know if I am exposed to injection risk or other security risk and if
Microsoft plans on fixing the FP2003 DRW?
 
Rick,

Another option is to hand code your ASP/VBScript and not rely on the FP database components.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, WebCircle, MS KB Quick Links, etc.
==============================================
 
rick said:
Jim,

I am not using .net but I did change the coding initially to get a more
precise error message but all the stuff on the web said that there was no
fix and only work around was to use FP2000 files as mentioned below. So
do you know if I am exposed to injection risk or other security risk
Click to expand...

Yes, you would be exposed.
and if Microsoft plans on fixing the FP2003 DRW?
Click to expand...

I really have no insight on this. Generically, I know:

o They have a bug list.
o It's categorized by crashing bugs, lost functionality bugs,
and so forth.
o They review it from time to time, and select bugs to be fixed
by hot fix, service pack, next release, or distant future.
o User feedback contributes to those decisions.

But as to the status of this or any other specific bug, I have no
inside knowledge.

To register an official complaint, browse
http://register.microsoft.com/mswish/suggestion.asp
and fill out the form.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------
 
Jim, thanks for responding. What if I create a View with only the data
columns of interest and let the user query against that View. Does that
solve the injection risk??
 
I don't know, because we never tracked down the actual source of your
problem. So try this:

1. Rerun the Database Results Wizard.
2. On page 2, of the wizard, click Custom Query and Edit.
3. Copy the contents of the SQL Statement box and post them to this
thread.
4. Cancel out of the DRW.

Generically, SQL statement injection occurs when the visitor gets to
modify your SQL statement. For example, You may have a SQL statement
like:

SELECT * FROM mytable WHERE lastname = '::lname::'

where lname is the name of a form field that supplies search criteria.
Now, suppose the visitor enters the following lname value:

x';DELETE FROM mytable WHERE lastname 'x' = 'x

after merging in this "input" you get:

SELECT * FROM mytable WHERE lastname = 'x';DELETE FROM mytable WHERE
'x'= 'x'

This sends two SQL statements to the DBMS: one that performs a
harmless query, and one that deletes all the records in the table.

With some DBMS's, it's even possible to inject SQL code that supplies
the DBMS with an operating system command to run. This is pretty scary
if your DBMS is running under the SYSTEM account or an administrator
account.

In ASP code, you can largely eliminate this risk by changing all
apostrophes to double apostrophes. For example:

SELECT * FROM mytable WHERE lastname = 'O''Hara'

searches for the last name O'Hara. So hopefully, when the DRW creates
a SQL statement like

SELECT * FROM mytable WHERE lastname = '::lastname::'

it changes all apostrophes in the lastname form field to double
apostrophes before merging the value into the SQL statement. I'm not
sure, however, if this is what the changes in the FPDBRGN1.ini
FPDBRGN2.ini and FPDBLIB.ini files do, or whether it was some other
fix.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------
 
Back
Top