PDA

View Full Version : SQL injection security



tc101
November 9th, 2008, 10:23 PM
I am working on a legacy ASP system. There is lots of SQL hard coded in the web pages, but all in client side script so a user could not see it. The manager wants to move all the hard coded SQL to stored procedures because of the threat of SQL injection security breaches. I am just starting to read about this and wonder who much of a threat it really is.

For example, on a web page that just uses a radio button and a drop down list box to generate a table of information on the screen, is there any way a SQL injection could happen?

skeeterbug
November 9th, 2008, 10:42 PM
I am working on a legacy ASP system. There is lots of SQL hard coded in the web pages, but all in client side script so a user could not see it. The manager wants to move all the hard coded SQL to stored procedures because of the threat of SQL injection security breaches. I am just starting to read about this and wonder who much of a threat it really is.

For example, on a web page that just uses a radio button and a drop down list box to generate a table of information on the screen, is there any way a SQL injection could happen?

Yes, the attacker could modify the value of the form and inject his own SQL into it. Use stored procs or parametrize your SQL statements.

tom66
November 9th, 2008, 11:09 PM
There is a Firefox extension (Tamper Data: https://addons.mozilla.org/en-US/firefox/addon/966) which allows you to modify what is sent to the server, so an option form like this:



<form action="catview.asp" method="post">
<p>
<b>Select category to view: </b>
<select name="cat_id">
<option value="1">...</option>
<!-- ... -->
<option value="n">...</option>
</select>
</p>
<p>
<input type="submit" />
</p>
</form>


executing the query:


SELECT * FROM items WHERE category_id = '{ID}'


could be abused, even though there is a select field, because it can be modified through JavaScript, using the Firefox extension, or any other kind of modification. For example, normal form data might be:



cat_id: 1


but an attacker could modify it to:



cat_id: 1'; DELETE * FROM items, users; #