Tutorial - Cross posted SQL injection measures
| Shippwreck wrote: |
| …I find that SQL Injection is one of those things that everyone agrees poses a major security risk, but if i ask the question what techniques to use to combat it or what are the key/most common things to look out for in your coding that leave you wide open the room goes eerily quiet… |
Well, here’s what I do…
The ContainsSQL function below accepts a string value and checks for a ‘;’ character (that’s required for SQL stuffing) outside of string deliminators.
Let’s say your script uses a variable as a modifier for an SQL command. The variable is collected from the request string and is called “Variable” - so to get the value in code you’d request(”Variable”).
Your code might look like this:
| Code: |
| sqlq = “select * from ‘”& request(”Variable”) &”‘” sql.execute(sqlq) |
A black hat might fill in the Variable field with “A Variable.’;[sql exploit here]”. The sql injection would mean that the SQL statement you executed would read like this:
| Code: |
| select * from ‘A Variable.’;[sql exploit here] |
because the use of the ‘;’ begins a new line in the SQL parser.
To check this you’d call the function from your (asp) code like this:
| Code: |
| <% if object.ContainsSQL(CSTR(Request(”Variable”))) then response.write “<h2>Thank you. <h2>” response.write “Your IP address has been logged.<br>” response.write “Please step away from the computer,<br>” response.write “place your hands behind your head<br>” response.write “and await the arrival of a local law<br>” response.write “enforcement official.” end if %> |
The function
| Code: |
|
Private Function ContainsSQL(tValue As String) As Boolean
Dim l, n ClearError ContainsSQL = False ‘ Ensure the statement does not contain ; outside of string deliminators (’) 10: End Function posted by ntsa |
admin @ April 19, 2008
