Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

SQL Injection mitigation tips for ASP development

Idea Microsoft, the Internet Storm Center, the SQL-Server Worldwide Users Group (SSWUG), and others are actively promoting the dangers associated with automated SQL injection attacks.  While SQL Injection concerns have been around for several years, these attacks have growth substantially this year because of automation.  There are also numerous vulnerable websites out there, which provide an opportunity for malware attacks.  There is a need to fix these sites and promote secure web development. 

SQL Injection mitigation tips for ASP development
http://isc.sans.org/diary.html?storyid=4610

QUOTE: With the recent SQL injection attacks on ASP pages. A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers Brian Erman has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection. from happening.

Brian Erman's SQL Injection filtering for ASP
http://paste-it.net/public/c3cb69a/

To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input. If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily.

In actual fact, such mechanism exists, it is called parameterized query. The user input are passed to the SQL server as an argument (sort of like calling a function in programming language), the SQL server during query execution have a way to identify what part of the statement is static control, and which part is user input.

Parameterized queries have been widely publicized. In classic ASP, parameterized query is possible if you use ADO command object, an example is here. Parameterized query is available on most other web scripting platforms, now is the time to review all your web app before the automated SQL injection exploitation spreads to other language platforms (PHP, CFM, PL)

GOOD EXAMPLES OF PARAMETERIZED QUERIES
http://aspnet101.com/aspnet101/tutorials.aspx
http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=6999
http://www.inrsolutions.com/blog/details.asp?id=5

Comments

Harry Waldron - My IT Forums Blog said:

URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks Microsoft has just enhanced a key

# June 27, 2008 7:35 AM

Harry Waldron - Microsoft MVP Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 27, 2008 7:35 AM

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 27, 2008 7:36 AM