[14069] in bugtraq
Re: BID 994,
daemon@ATHENA.MIT.EDU (Smith, Eric V.)
Mon Feb 28 15:31:59 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Message-Id: <61475A6027E9D111BB25006008C3D3950CD321@eastnor.windsor.com>
Date: Mon, 28 Feb 2000 06:34:28 -0500
Reply-To: "Smith, Eric V." <EricSmith@WINDSOR.COM>
From: "Smith, Eric V." <EricSmith@WINDSOR.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This can still be a problem even if you use stored procedures. I've seen
code like this:
sql = "exec sp_name " & userdata
If userdata contains '0; delete from table' then you've got a problem.
The best way around this is to use parameterized queries for all data
access, including stored procedures, selects, inserts, and updates. Never
build up sql statements from strings that include user input.
Eric.
-----Original Message-----
From: Bertrand Schmitt [mailto:bertrand.schmitt@ARKADIA.COM]
Sent: Saturday, February 26, 2000 11:03 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: BID 994, MS00-010 (Site Server Commerce Edition
non-validated SQL inputs)
If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!
Within product.asp dept_id is picked up and used to construct a SQL
statement.
"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")
Further down the page a, b, c, d, e, f and g are response.writed to the
page.
Think about what happens if the URL above is modified to
http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table
