Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old August 19th, 2004, 01:44 AM
Authorized User
 
Join Date: May 2004
Location: , , .
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default Script Injection in Sql Server

Hello
I need a little Help in a Case. I have Dynamic Sql Queries into my Asp.net Pages that create Queries relevant to the user Input. My Search Query is like

"Select * from tablename where fieldname like '"+Request.Form["textbox"]+"';

it is a very stupid thing,i know that,but it my application is small scale , i dont want to use Access built-in Queries , or Sql Server Stored Procedure with that application,

I have also tried it with Asp.net Prepared Statement, but it only works with exact Match like Fieldname=value;with 'like' clause this thing fails.My requirement is that a solution that works with wild Card Search as well as exact search.

PLease Help me to solve this problem

Thank You








Reply With Quote
  #2 (permalink)  
Old August 19th, 2004, 01:59 AM
Friend of Wrox
 
Join Date: Jul 2003
Location: , , United Kingdom.
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

You need to add wildcards to the like clause...

Code:
LIKE '%" + Request.Form["textbox"] + "%'
It would be probably also be worth replacing any single quotes in the search criteria to prevent sql errors.

HTH,

Chris

Reply With Quote
  #3 (permalink)  
Old August 19th, 2004, 02:05 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Bangalore, KA, India.
Posts: 2,480
Thanks: 0
Thanked 1 Time in 1 Post
Default

"Select * from tablename where fieldname like '%"+Request.Form["textbox"]+"%';

You should use % around the values, when using LIKE operator.

Hope that helps.
Cheers!

_________________________
- Vijay G
Strive for Perfection
Reply With Quote
  #4 (permalink)  
Old August 19th, 2004, 03:58 AM
Authorized User
 
Join Date: May 2004
Location: , , .
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thnx, I know that Wild Card would help in searching, but the problem is that when user enters the following chun of code, ' or 1=1;--, it returns all the records int the database regardless of where clause, becuase of that '" + var + "' situation
Kindly consider it

Reply With Quote
  #5 (permalink)  
Old August 19th, 2004, 04:06 AM
Friend of Wrox
 
Join Date: Jul 2003
Location: , , United Kingdom.
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

Just replace single quotes with two single quotes, so if you get
Code:
' or 1=1
Turn it into
Code:
 '' or 1=1
before placing it in your query, this will give a query something like...
Code:
Select * from tablename where fieldname like '%'' or 1=1%';
and should run fine.

Cheers,

Chris



Reply With Quote
  #6 (permalink)  
Old August 19th, 2004, 04:11 AM
Authorized User
 
Join Date: May 2004
Location: , , .
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have Tried it too, but for that I have to check the validity of input on server-side, but plz understand me, I dont want to check the validity of Input at server-side, I just want that my Qeury would always be okay and nobody can break it, By the way, I have tested it also, but when u give empty field and submit, it gets all records like in the Script Injection, so I have to validate the input at server-side, but I want to remove that Hassle,
Thanks very much for your Help


Reply With Quote
  #7 (permalink)  
Old August 20th, 2004, 03:41 AM
Friend of Wrox
 
Join Date: Jul 2003
Location: , , United Kingdom.
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

If you want to dynamically build queries in this way, you will have to use server-side validation, otherwise people will always be able to break your code.

Kind regards,

Chris
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How Run .sql Script file in MS SQL Server 2000? aarkaycee SQL Server 2000 5 October 12th, 2009 05:43 AM
sql injection trufla Classic ASP Basics 2 June 16th, 2008 02:54 PM
SQl Injection through ASP and MS SQl 2000 cancer10 Classic ASP Databases 1 October 27th, 2007 03:21 AM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 10:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM



All times are GMT -4. The time now is 10:41 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.