 Print
 Add To Favorites
 Email To Friend
 Rate This Article
|
SQL Injection in Classic ASP and Possible Solutions
|
Published:
12 Aug 2008
|
Abstract
Nowadays, SQL injection is a big threat for websites. It is a technique by which hackers can execute dangerous SQL commands by taking advantage of un-sanitized input opportunities in web application. While there is a good amount of best practices to prevent SQL injection in ASP.NET, ASP has very little information. In this article, Ehsanul examines a quicker and easier way to sanitize input parameters as well as the design plan for a new website to protect from SQL Injection. After a brief introduction, he demonstrates the technique with the help of relevant source code and screenshots. Towards the end of the article, he provides some tips to avoid database related errors and a list of useful reference articles. |
 |
by Ehsanul Haque
Feedback
|
Average Rating: 
Views (Total / Last 10 Days):
95418/
90
|
|
|
|
| Introduction |
Several communities have already started a few workarounds
on this issue. HP Web Security Research Group published a tool named HP
Scrawlr, to find out SQL Injection vulnerabilities in websites. Also,
Microsoft recently released source code analyzer for SQL Injection. But
sanitizing all the input fields is not an easy task for a large website.
SQL (structured query language) is a very powerful gun for
hackers. We know there are several built-in processes in ASP.NET to protect it
from SQL Injection and cross site scripting like ValidateRequest, "EnableEventValidation,"
etc. in page element. They inspect in every request variable for script to
prevent attack in application. These features can be set from web.config which
will work for every page centrally or can be set in individual pages from page
element tag. We have to build similar functionality in classic ASP, so we will
do it similarly to the ways ASP.NET protects the application from SQL Injection.
Normally, hackers target the "information collection form" like the registration
form, subscription form, login form, etc. Searching this type of form is not a
hard task since hackers used a very smart crawler program. In the rest of the
article, we will build a ValidateRequest system which can inspect all request
variables centrally application-wise as well as page-wise like the built-in
system in ASP.NET.
|
|
|
|
User Comments
Title:
dfa
Name:
asdfa
Date:
2012-11-13 6:20:17 AM
Comment:
asdfas
|
Title:
asdf
Name:
asdf
Date:
2012-09-22 1:41:22 PM
Comment:
'dfads
|
Title:
FDGHFH
Name:
NIKE NFL jerseys
Date:
2012-05-20 11:38:18 PM
Comment:
[/pre]Cheap NFL,NBA,MLB,NHL
[url=http://www.jersey2shop.com/]Jerseys From China[/url]
[url=http://www.jersey2shop.com/]2012 nike nfl Jerseys[/url]
[url=http://www.jersey2shop.com/]cheap China Jerseys[/url]
[url=http://www.jersey2shop.com/]Sports Jerseys China[/url]
[url=http://www.jersey2shop.com/NFL-Jerseys-c68/]NFL Jerseys China[/url]
[url=http://www.jersey2shop.com/NBA-Jerseys-c77/]NBA Jerseys China[/url]
NHL Jerseys China
[url=http://www.jersey2shop.com/MLB-Jerseys-c94/]MLB Jerseys China[/url]NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory
[/pre]
[pre]We Are Professional China jerseys Wholesaler
[url=http://www.cheapjersey2store.com/]Wholesale cheap jerseys[/url]Cheap mlb jerseys
[url= http://www.cheapjersey2store.com/]2012 mlb all atar jerseys[/url]
[url= http://www.cheapjersey2store.com/ [/url]Cheap China Wholesael[/url]
[url= http://www.cheapjersey2store.com/]Wholesale jerseys From China[/url]
[url=http://www.cheapjersey2store.com/]2012 nike nfl Jerseys[/url]Free Shipping,Cheap Price,7 Days Deliver
[/pre]
[/pre]
We are professional jerseys manufacturer from china,wholesal
sports [url= http://www.cheapjersey2store.com/]Jerseys From China[/url]
[url=http://www.cheapjersey2store.com/NFL-Jerseys-c68]NFL jerseys China[/url]
[url=http://www.cheapjersey2store.com/NHL-Jerseys-c96/]NHL Jerseys China[/url]
[url=http://www.cheapjersey2store.com/NBA-Jerseys-c77/]NBA Jerseys China[/url]
[url=http://www.cheapjersey2store.com/MLB-Jerseys-c94/]MLB Jerseys China[/url]
[url= http://www.cheapjersey2store.com/]China Jerseys[/url],Free Shipping
[/pre]
[/pre]
We are professional jerseys manufacturer from china,wholesal
sports [url= http://www.jerseycaptain.com/]cheap jerseys sale online [/url]
[url= http://www.jerseycaptain.com/]2012 nike nfl Jerseys[/url]
[url=http://www.jerseycaptain.com/NFL-Jerseys-c68]cheap NFL jerseys China[/url]
[url=http://www.jerseycaptain.com/NHL-Jerseys-c96/]NHL Jerseys C
|
Title:
this is good!
Name:
joven
Date:
2012-05-19 11:14:33 AM
Comment:
this is good post of article.. thanks for this upload :)
|
Title:
RE:sample code missing
Name:
Ehsanul Haque
Date:
2012-01-23 12:04:29 PM
Comment:
Hey Bob,
Thanks for notifying me about the missing URL for the sample code. I am in rush right now, but I will try to fix it as soon as possible.
|
Title:
sample code missing
Name:
Bob
Date:
2012-01-23 9:14:23 AM
Comment:
Sadly, the sample code ZIP file is 404 not found. :( I believe I can follow along with the article, and extract the appropriate code to implement, but sample code is almost always more straight forward for fully understanding a concept, since it is usually a full solution vs a tutorial. Thanks for a great article, though!
|
Title:
Possible solution for SQL Injection
Name:
Rey Calanta-ol
Date:
2011-04-01 10:06:12 AM
Comment:
1. Optimize your inputs, you may use replace function to replace all suspicious symbols in the inputs.
2. Use parameterized query.
|
Title:
Great article :)
Name:
Benedict Basa
Date:
2010-11-07 11:51:15 PM
Comment:
Exactly what i needed :)
|
Title:
ASP is here to remain for a long time.
Name:
pickatutorial
Date:
2010-10-05 11:27:44 AM
Comment:
ASP is here to remain for a long time.
|
Title:
nice :)
Name:
MJ
Date:
2010-06-29 5:37:37 PM
Comment:
no comment :)
|
Title:
Replace wrong words
Name:
Eric Coumans
Date:
2009-12-21 10:37:23 AM
Comment:
Hi there,
small question: is it also possible instead of going to the error page, replace the value in the scanned form input?
so when somebody fills in "copenhagen" the function (mentioned above) will change ("open") this into: "c*hagen"...
thanks for the help!
|
Title:
RE: Function always return true
Name:
Ehsanul Haque
Date:
2009-12-09 5:01:13 AM
Comment:
Hello Mr. Javed,
I don't think the function is always returning true. After configuring the sample, open the test.asp and type username "cursor p1" and it will be blocked as the "cursor" is the blacklisted keyword. Similarly, if you write "abc" it will not block as it is not in the blacklist. Also see the relavant code below:
For Each s in BlackList
If(IsExceptionList(s,varType)=False) then
If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If
End If
Next
Where "lstr" is the string to check and "s" is the blacklisted keyword.
However, please check that the sample is configured correctly. Please let me know if I can help you anyway.
Thanks,
Ehsan
|
Title:
Function always return true
Name:
Javed Iqbal
Date:
2009-12-09 2:01:23 AM
Comment:
\
|
Title:
RE: 谢谢。
Name:
Ehsanul Haque
Date:
2009-12-05 6:40:15 AM
Comment:
Hi,
I don't know Chinese but I think you are looking for code sample. If it is true then please see the entire article here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all
Also you can get the sample project by clicking on the Downloads link at the top or browse here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all#Page6
Thanks,
Ehsan
|
Title:
Thank you
Name:
Stefan
Date:
2009-11-24 11:22:30 AM
Comment:
Thank you very much. I had some SQL injection problems and I implemented this, tested and it seems to hold up thus far.
Now I have to teach myself stored procedures along with some .net stuff. Thanks again.
|
Title:
:)
Name:
RJ
Date:
2009-01-13 2:04:18 AM
Comment:
good article. it really helps
|
|
|
|
|
|
