Protect db for SQL attacks

Printable View

Apr 19th, 2004, 01:33 PM
visualsander

Protect db for SQL attacks

Hi group,

I've got a web site in .Net. Waauw.
The users are able to enter SQL statements in the address bar, eg DELETE FROM tblOrders....not so nice eh.

I know there's a statement that protects the db from this...but what is it?

Any ideas what I'm mumbling about?

TIA

VS
Apr 19th, 2004, 01:51 PM
wey97

Search the WWW for SQL Injection

There are plenty of articles.
Apr 19th, 2004, 06:00 PM
Fishcake

And as a rule i'd say NEVER pass SQL in a querystring.
Apr 19th, 2004, 11:26 PM
hellswraith

Stored procedures will stop it from happening. Never open a site to the public that doesn't use stored procedures. You are just asking for it.
Apr 20th, 2004, 08:51 AM
Magiaus

okay call me dumb but how hell can they hit SQL Server from the query string? My brain tells me that if my SQL Server is at xx.xxx.x.x and my site is at y.yyy.yy.y that unless I have ?sql=statemnet&run=yeah and I check for it and run the SQL all is fine.

What am I missing here? I always used Stored Procedures btw but I do that because of code reuse, encapsulation, and Ben the new guy might not know SQL.....

How could a security flaw that obvious even happen I mean I know there are still idiots who pass unencrypted user name and password acroos the query with GET but... ah n/m
Apr 20th, 2004, 09:00 AM
Fishcake

As stated you fine if you use stored proc's but a problem could arise for example if you built up your SQL string from text boxes or querystrings. ie.

"select *
from Users
where username = " & txtUsername.text

if txtUsername.text = "user001;delete * from users"

you end up with
select *
from tblUsers
where username = user001;delete * from users

Being passed to the database with disasterous effects, but easily avoided.
Apr 20th, 2004, 09:10 AM
Magiaus

I see. So basicly the problem is the design that was used. I always scoffed and said what idiot would do that when I read things about building your connection string and sql via user input because it seemed obvius to me that a user with any know how could easily connect to other databases and run sql that is not intended, but I forget everyone isn't a jack of trades computer tech/ptogrammer/web monkey/dba/coffee maker/sales rep/it manager/2600/con man/pool shark/video game hacker/under paid/really underpaid/college student(well next 1/2 anyway)
Apr 20th, 2004, 09:15 AM
Memnoch1207

Put the site live and let me run some scripts against it...hehe...Then if you have a database left. you should be safe.
Apr 21st, 2004, 03:46 AM
visualsander

Memnoch1207

LOL, me thinks me needs some testing :-)
Apr 21st, 2004, 08:25 AM
nemaroller

Quote:

Originally posted by Memnoch1207
Put the site live and let me run some scripts against it...hehe...Then if you have a database left. you should be safe.

Hmmm... I could use some testing against our DB.

If you whack the DB that's fine, its all backed up..

I'll let you know.. ;)