Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / ASP / Database Access / May 2008


Tip: Looking for answers? Try searching our database.

Need help you sql injection proof queries

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Adrienne Boswell - 21 May 2008 20:48 GMT
Using MS SQL server version 8 sp 3, and I need help with converting my
dynamic queries into parameterized queries and/or injection proof
stored procedures.

Here is an example of what I currently do:
set rs = createobject("ADODB.Recordset")
sql = "SELECT DISTINCT city.id AS cityid, city_name AS city, state_id
AS
st FROM city,
zipcode wHERE zipcode.id IN ( SELECT id FROM zipcode WHERE zipcode =
'91205') AND
city.id = zipcode.city_id"

rs.open sql, oconn
'get records
rsarr = rs.getrows
rs.close
set rs = nothing
oconn.close
set oconn = nothing

I really appreciate this as we have been hit with the recent asprox
botnet injection.

--
Adrienne Boswell at work
Please resond so others can share
Reply to this Message
Bob Barrows [MVP] - 21 May 2008 21:18 GMT
> Using MS SQL server version 8 sp 3, and I need help with converting my
> dynamic queries into parameterized queries and/or injection proof
[quoted text clipped - 19 lines]
> I really appreciate this as we have been hit with the recent asprox
> botnet injection.

? I see nothing here that would leave you vulnerable to sql injection -
everything is hard-coded: no concatenating user input.
Also, it's a very strange looking query: I'm really puzzled as to the
purpose of that IN () statement. And the DISTINCT seems unnecessary as
well.

Is the zip code supposed to vary based on user input? If so, if you
wanted to avoid stored procedures for some reason, you should do this:

dim zip
zip=request.form("zip") 'or wherever you're getting it
sql = "SELECT c.id cityid, city_name city, state_id st " & _
"FROM city c inner join zipcode z on c.id=z.city_id " & _
"WHERE z.zipcode = ?"
set cmd=createobject("adodb.command")
cmd.commandtype = 1 'adCmdText
cmd.commandtext = sql
set cmd.activeconnection = oconn
set rs=cmd.execute(,array(zip))
if not rs.eof then rsarr = rs.getrows
'etc.

Of course I prefer stored procedures. In your database, run this script:

CREATE PROCEDURE CityDataSpecifiedZip (
@zip    varchar(6)) AS
SELECT c.id cityid, city_name city, state_id st
FROM city c inner join zipcode z on c.id=z.city_id
WHERE z.zipcode = @zip

Then you can do this in vbscript:
dim zip
zip=request.form("zip") 'or wherever you're getting it
set rs = createobject("ADODB.Recordset")
oconn.CityDataSpecifiedZip zip, rs
if not rs.eof then rsarr = rs.getrows
etc.

Signature

Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Reply to this Message
Adrienne Boswell - 21 May 2008 21:29 GMT
On May 21, 1:18 pm, "Bob Barrows [MVP]" <reb01...@NOyahoo.SPAMcom>
wrote:
> > Using MS SQL server version 8 sp 3, and I need help with converting my
> > dynamic queries into parameterized queries and/or injection proof
[quoted text clipped - 57 lines]
> if not rs.eof then rsarr = rs.getrows
> etc.

Bob, if I have not told you recently, I love you dearly, and if you
are a father (even if you're not), Happy Father's Day!

That's exactly the help I was looking for.  Thank you, thank you,
thank you.

--
Adrienne Boswell at work
Please respond to the group so others can share
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.