When building a website that connects to a SQL database
(i.e. Microsoft Access or SQL Server) it is of crucial importance that care is
taken to be aware of SQL Injection Attacks. These typically occur when the
website allows the website user to enter content through online forms
(particularly textboxes). However, the lack of strong variable typing in
classic ASP means that any variable that is retrieved from the user's browser
can be vulnerable to being used in a SQL injection attack. At the very least,
it would allow the user to perhaps login to a website without needing to know a
username and/or password. Depending on the security settings in the website's
database, they may even be able to delete data or execute arbitrary system
commands on the machine hosting the database server.
Classic ASP is particularly vulnerable to SQL injection attacks.
For example, a web page that retrieves a particular record from a database
table row by retrieving the row's primary key from the querystring can be
potentially used in a SQL injection attack. If the user visits a URL, such as
http://www.ajobwebsite.com/jobs/showjob.asp?JobID=12227, then they may be able
to append a certain sequence of characters to the end of the JobID in order to
force a SQL injection attack. Fortunately, this particular SQL injection
attack can be mitigated by ensuring that showjob.asp converts the JobID query
string parameter to a number by using the Cint()
function in VBScript or Math.round() in JScript.
Ideally, all user input derived from query string parameters
and form fields should be cleansed in order to remove any characters that do
not need to be present in a particular variable. For example, a number field
should only contain numbers. Using the VBScript Replace function can easily
achieve this. Particular care should be taken to remove single quotes or
dashes from user input, unless they are specifically needed in a particular
variable (for a person's name). Single quotes should also be converted to
double quotes before the variable is used in a SQL statement.
There are two other ways of minimizing the chance of SQL injection
attacks occurring. The first is to use stored procedures to carry out all
database queries, rather than constructing SQL statements in the web page
itself. The second is to use the ADO or ADO.NET Command object to carry out
database connectivity. An article on ASPAlliance shows further details of
this: http://aspalliance.com/385.
Finally, on an SQL Server, using a dedicated database user
with the minimum set of permissions required will prevent a malicious user from
being able to do too much, should they discover a way of performing SQL
injection attacks against the database.
If you would like to know more about the dangers of SQL
injection attacks, as well as information about some of the other dangers
facing websites, then the NGS Software website has some useful whitepapers -
see http://www.ngssoftware.com. Of
particular note are the whitepapers on SQL injection attacks: "Advanced
SQL Injection in SQL Server Applications," http://www.ngssoftware.com/papers/advanced_sql_injection.pdf,
"(more) Advanced SQL Injection", http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
and "Writing Secure ASP Scripts," http://www.ngssoftware.com/papers/asp.pdf.