Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SQL Injection Prevention

Tags:

sql

mysql

sql-injection

asp-classic

I'm currently working on a legacy ASP project where security has now become a large concern. Not only is it insecure encryption methods (md5), but I'm worried about SQL injection problems. I'm not very good with injection quite yet, and I've tried only the basics of what I know. I've found the function which "secures" any user input, but I'm wondering if it is actually doing anything to prevent injection attacks. Here is the function:

function sqlfix(input)
    if not isnull(input) and input <> "" then
        input = replace(input, ";", "&#59;")
        input = replace(input, "'", "&#39;")
        input = replace(input, """", "&#34;")
        input = replace(input, "(", "&#40;")
        input = replace(input, ")", "&#41;")
        input = replace(input, "|", "&#124;")
        input = replace(input, "<", "&#60;")
        input = replace(input, ">", "&#62;")
        input = replace(input , "'", "''")
        'input = Server.HTMLEncode(input)
        'input = Server.UrlEncode(input)
        sqlfix = input
    else
        sqlfix = ""
    end if
end function

I remember doing something like this many years ago when I first started PHP with mysql_* functions, but now I've moved onto PDO and parameter binding. However I don't know how safe this is for ASP applications. Thanks for any input.

like image 498
Jason Kaczmarsky Avatar asked Dec 26 '22 14:12

Jason Kaczmarsky

2 Answers

Don't fall into the string-interpolation trap! It's not secure.

You can use real SQL query parameters even in ASP Classic.

I'm not an ASP programmer, but I found this blog with a clear example of using an ADODB.Command object for a parameterized SQL query, and binding values to parameters before executing.

http://securestate.blogspot.com/2008/09/classic-asp-sql-injection-prevention_30.html

Also see this SO question for some more examples of using named parameters:

ASP Classic Named Parameter in Paramaterized Query: Must declare the scalar variable

like image 182
Bill Karwin Avatar answered Jan 11 '23 05:01

Bill Karwin

This is as close as you can get to PDO in ASP Classic...

with createobject("adodb.command")
    .activeConnection = application("connectionstring")
    .commandText = "select * from sometable where id=?"
    set rs = .execute( ,array(123))
end with

How can I make a prepared statement in classic asp that prevents sql injection?

like image 42
ThatGuyInIT Avatar answered Jan 11 '23 05:01

ThatGuyInIT
Sign in to Comment

Related questions

Error 1054, "Unknown column 'student_info.id' in 'field list'" - Django
Terminal mysql queries
How to check if a table already exists in the database by using MySQL?
MySQL: Group Values
Editing data from MySQL via PHP
MySQL table type for money [duplicate]
Implement different user level views in php [duplicate]
Whats faster file_exists or DB retrieval?
GROUP BY two fields in mysql
MySQL: Grant Privileges followed by Flush Privileges has not effect, no error (logged in as root)
MySQL: order by inside group by
Count SQL table row and add 1 on the outcome
MySQL left join 2 tables order by count
JOOQ No Connection configured Issue
subquery in where clause of UPDATE statement
Twisted adbapi cp_reconnect not working
Change visibility of all simple products
how to add composite unique to a column in the table mysql
Can IFNULL be used with select statements for a sum?
$_POST not receiving all values

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!