Forums > Server-Side Scripting

Subject: SQL Injection Attacks

Posted By	Message
Leon Sat 7th Oct '09 16:44 user	Hi Guys I have read a few posts regarding SQL Injection Attacks but I thought I would post specific to my issue. My hosting company confirmed that recently it appeared that somebody was trying to hack into my website. I was able to confirm the page used but not whether they actually got through - no data in the database was changed. I have never come across this before and my hosting company advised me to have a word with my developer to secure my code - which is myself. I have also read a few articles on how attackers do what they do, however I am still anxious and so I have a few questions: How might I better secure my code in asp to make it more difficult for attacks to occur through my login (username+password) fields? Is there a way to protect my asp code? (if this will help) Are there any added safeguards I can place upon my MSSQL database? Cheers Webthangers! Leon
cjd Fri 6th Oct '09 5:11 user	Always try and use stored procedures for inserting and updating data, where possible use them for querying data. Also in my old classic app's I used the following function to clean input fields Function fCleanSQL(strWords) IF strWords > "" Then stripQuotes = replace(strWords, "'", "''") badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") newChars = stripQuotes for i = 0 to uBound(badChars) newChars = replace(newChars, badChars(i), "") next fCleanSQL = newChars ELSE fCleanSQL = strWords End IF End Function So if you have hard coded your query it would end up something like WHERE UserName = " & fCleanSQL(Request.Form("txtUserName")) & " You should also not be storing passwords in plain text.
Leon Fri 6th Oct '09 20:29 user	Hi cjd Thanks for the tips. I have removed the hard coded SQL and at the minute I have created some stored procedures. For example for Login and Passwords this is the procedure call: [ userName = Request.Form("username") password = Request.Form("password") set rs = server.createobject("adodb.recordset") rs.Open "Exec sp_validateuser '" & userName & "','" & password & "'", Conn ] Would this prevent the need for using the Function fCleanSQL(strWords)? Also you mentioned storing passwords as plain text could you elaborate on this further? The passwords are currently stored in my database with the datatype nvarchar does this sound ok?
Rob Mon 2nd Nov '09 18:37 admin	Leon, if you're using stored procedures you shouldn't need to worry about sql injection, if you are not using sp's, then cjd's example is a good one. Performing a check on the data before it is processed is a very wise idea if not using sp's.
Leon Fri 6th Nov '09 5:39 user	Thanks