SQL injection

  • Thread starter Thread starter MattB
  • Start date Start date
M

MattB

I have a name lookup form that passes the contents of two text boxes to
a sql query. I've noticed that someone can substitute % for letters and
wildcard the query. I know I could just disallow that character, but is
there a commonly accepted way to stop all of these kinds of attacks?
I see asp.net automatically disallows characters like "<>" but not %.
What else should I be on the lookout for? Thanks!

Matt
 
Hello:

You need to use a 'RegularExpression' Validator Control and test for
desired disallows characters..

Best Regards,
Jatubio

MattB escribió:
 
Hello:

You need to use a 'RegularExpression' Validator Control and test for
desired disallows characters..

Best Regards,
Jatubio

MattB escribió:
 
sql injection is when you do not handle quotes. say you wite the following

ds = db.ExecuteDataset("select * from people where name like '" + name +
"'");

then a clever user types into the name search field:

a'' delete people select ''a

this will nicely delete all you records.

-- bruce (sqlwork.com)
 
Use parameterized queries and / or stored procedures. Also, you may want to
change the queries to check for equality rather than using like statements.
In sql 'matt' like 'mat%' evaluates to true but 'matt' = 'mat%' doesn't.
 
Scott said:
Use parameterized queries and / or stored procedures. Also, you may want to
change the queries to check for equality rather than using like statements.
In sql 'matt' like 'mat%' evaluates to true but 'matt' = 'mat%' doesn't.
Click to expand...

Thanks everyone. Unfortunately the queries get constructed in a separate
layer by a COM object and I'm just calling that object. As a solution,
I'm filtering out any input other than what is needed for that
particular field, which for the name example is the alphabet and the
single quote (which gets replaced with two single quotes to accommodate
names like O'Brien).

Matt
 
Part of building a secure system is to know at what levels in you application
the user input data has been scrubbed. From then on in the application the
data can be assumed to be clean. You need to coordinate this with the devs
of the COM+ components.

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
Thanks everyone. Unfortunately the queries get constructed in a separate
layer by a COM object and I'm just calling that object. As a solution, I'm
filtering out any input other than what is needed for that particular
field, which for the name example is the alphabet and the single quote
(which gets replaced with two single quotes to accommodate names like
O'Brien).
Click to expand...

Careful - there are people who have "double-barreled" names e.g.
Smithers-Jones, so you'd need to allow the hyphen character too. If you do
this, MAKE ABSOLUTELY CERTAIN you disallow a repeated hyphen i.e. -- as this
is a classic SQL injection trick because it's the T-SQL line comment
identifier and will cause SQL to ignore anything which follows it.
 
FYI: I have built a commercial ASP.NET solution to address SQL Injection and
Cross-site-scripting attacks: Visual Input Security
(http://www.peterblum.com/vise/home.aspx). It gives you validators with
powerful algorithms that can detect SQL inside of English text so that you
can avoid removing characters that users should be allowed to type into your
textbox.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
 
Back
Top