|
-
Apr 19th, 2004, 01:33 PM
#1
Thread Starter
Hyperactive Member
Protect db for SQL attacks
Hi group,
I've got a web site in .Net. Waauw.
The users are able to enter SQL statements in the address bar, eg DELETE FROM tblOrders....not so nice eh.
I know there's a statement that protects the db from this...but what is it?
Any ideas what I'm mumbling about?
TIA
VS
-
Apr 19th, 2004, 01:51 PM
#2
Frenzied Member
Search the WWW for SQL Injection
There are plenty of articles.
-
Apr 19th, 2004, 06:00 PM
#3
And as a rule i'd say NEVER pass SQL in a querystring.
-
Apr 19th, 2004, 11:26 PM
#4
PowerPoster
Stored procedures will stop it from happening. Never open a site to the public that doesn't use stored procedures. You are just asking for it.
-
Apr 20th, 2004, 08:51 AM
#5
Frenzied Member
okay call me dumb but how hell can they hit SQL Server from the query string? My brain tells me that if my SQL Server is at xx.xxx.x.x and my site is at y.yyy.yy.y that unless I have ?sql=statemnet&run=yeah and I check for it and run the SQL all is fine.
What am I missing here? I always used Stored Procedures btw but I do that because of code reuse, encapsulation, and Ben the new guy might not know SQL.....
How could a security flaw that obvious even happen I mean I know there are still idiots who pass unencrypted user name and password acroos the query with GET but... ah n/m
Magiaus
If I helped give me some points.
-
Apr 20th, 2004, 09:00 AM
#6
As stated you fine if you use stored proc's but a problem could arise for example if you built up your SQL string from text boxes or querystrings. ie.
"select *
from Users
where username = " & txtUsername.text
if txtUsername.text = "user001;delete * from users"
you end up with
select *
from tblUsers
where username = user001;delete * from users
Being passed to the database with disasterous effects, but easily avoided.
-
Apr 20th, 2004, 09:10 AM
#7
Frenzied Member
I see. So basicly the problem is the design that was used. I always scoffed and said what idiot would do that when I read things about building your connection string and sql via user input because it seemed obvius to me that a user with any know how could easily connect to other databases and run sql that is not intended, but I forget everyone isn't a jack of trades computer tech/ptogrammer/web monkey/dba/coffee maker/sales rep/it manager/2600/con man/pool shark/video game hacker/under paid/really underpaid/college student(well next 1/2 anyway)
Magiaus
If I helped give me some points.
-
Apr 20th, 2004, 09:15 AM
#8
Frenzied Member
Put the site live and let me run some scripts against it...hehe...Then if you have a database left. you should be safe.
Being educated does not make you intelligent.
Need a weekend getaway??? Come Visit
-
Apr 21st, 2004, 03:46 AM
#9
Thread Starter
Hyperactive Member
Memnoch1207
LOL, me thinks me needs some testing :-)
-
Apr 21st, 2004, 08:25 AM
#10
I wonder how many charact
Originally posted by Memnoch1207
Put the site live and let me run some scripts against it...hehe...Then if you have a database left. you should be safe.
Hmmm... I could use some testing against our DB.
If you whack the DB that's fine, its all backed up..
I'll let you know.. 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote