View Single Post
  #1 (permalink)  
Old July 3rd, 2003, 03:41 PM
taliesin taliesin is offline
Authorized User
Join Date: Jun 2003
Location: , , .
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security: Preventing SQL Injection

I have been reading some articles on the methods used in SQL Injection to compromise the security of a database. At first I believed I was safe, since I do not allow the user to enter a paramter value (select boxes only)...Well, there is the login screen, but I am working on safeguarding the username and password fields now.

However, I realized that a hacker could just make their own .asp script with editable text fields of the same "name" attribute as my select boxes. Then call my database with their own doctored "parameters" (basically converting the parameters into SQL injection queries). Note that I am using stored, parametized procedures (queries predefined in my DB) for all my DB queries.

It occurred to me that I could try to implement some Lock() and Unlock() style functions to tie my pages together. So, in the first page call Lock() which generates a number on the server and sets an Application or Session variable. In the next page, the first thing I would do is try to Unlock() the page. So, the Unlock() function would try to validate a script as being my own by comparing it to a number or file, or successfully performing a server operation that only a native script could do.

I am new to ASP and could use some ideas on implementing such a mechanism in a *secure* manner. For example, I believe I read somewhere that Session variables are stored as hidden cookies or somesuch on the users machine, so thus could not be used to implement this idea.

Perhaps I don't need a lock variable of any kind, but just change Unlock() to be something more like ValidatePageSource() which performs a server operation that a foreign script would fail, perhaps a local disk operation? To implement this I would need to be able to force every page to verify that the calling page successfully called ValidatePageSource().

Anyone have some ideas on how to implement this? I am sorry if my idea is ridiculous or noobish :) If it is, just let me know...politely.
Reply With Quote