Wrox Programmer Forums
|
Classic ASP Professional For advanced coder questions in ASP 3. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old August 19th, 2004, 01:44 AM
Authorized User
 
Join Date: May 2004
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default Script Injection in Sql Server

Hello
I need a little Help in a Case. I have Dynamic Sql Queries into my Asp.net Pages that create Queries relevant to the user Input. My Search Query is like

"Select * from tablename where fieldname like '"+Request.Form["textbox"]+"';

it is a very stupid thing,i know that,but it my application is small scale , i dont want to use Access built-in Queries , or Sql Server Stored Procedure with that application,

I have also tried it with Asp.net Prepared Statement, but it only works with exact Match like Fieldname=value;with 'like' clause this thing fails.My requirement is that a solution that works with wild Card Search as well as exact search.

PLease Help me to solve this problem

Thank You








 
Old August 19th, 2004, 01:59 AM
Friend of Wrox
 
Join Date: Jul 2003
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

You need to add wildcards to the like clause...

Code:
LIKE '%" + Request.Form["textbox"] + "%'
It would be probably also be worth replacing any single quotes in the search criteria to prevent sql errors.

HTH,

Chris

 
Old August 19th, 2004, 02:05 AM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 2,480
Thanks: 0
Thanked 1 Time in 1 Post
Default

"Select * from tablename where fieldname like '%"+Request.Form["textbox"]+"%';

You should use % around the values, when using LIKE operator.

Hope that helps.
Cheers!

_________________________
- Vijay G
Strive for Perfection
 
Old August 19th, 2004, 03:58 AM
Authorized User
 
Join Date: May 2004
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thnx, I know that Wild Card would help in searching, but the problem is that when user enters the following chun of code, ' or 1=1;--, it returns all the records int the database regardless of where clause, becuase of that '" + var + "' situation
Kindly consider it

 
Old August 19th, 2004, 04:06 AM
Friend of Wrox
 
Join Date: Jul 2003
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

Just replace single quotes with two single quotes, so if you get
Code:
' or 1=1
Turn it into
Code:
 '' or 1=1
before placing it in your query, this will give a query something like...
Code:
Select * from tablename where fieldname like '%'' or 1=1%';
and should run fine.

Cheers,

Chris



 
Old August 19th, 2004, 04:11 AM
Authorized User
 
Join Date: May 2004
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have Tried it too, but for that I have to check the validity of input on server-side, but plz understand me, I dont want to check the validity of Input at server-side, I just want that my Qeury would always be okay and nobody can break it, By the way, I have tested it also, but when u give empty field and submit, it gets all records like in the Script Injection, so I have to validate the input at server-side, but I want to remove that Hassle,
Thanks very much for your Help


 
Old August 20th, 2004, 03:41 AM
Friend of Wrox
 
Join Date: Jul 2003
Posts: 683
Thanks: 0
Thanked 1 Time in 1 Post
Default

If you want to dynamically build queries in this way, you will have to use server-side validation, otherwise people will always be able to break your code.

Kind regards,

Chris





Similar Threads
Thread Thread Starter Forum Replies Last Post
How Run .sql Script file in MS SQL Server 2000? aarkaycee SQL Server 2000 5 October 12th, 2009 05:43 AM
sql injection trufla Classic ASP Basics 2 June 16th, 2008 02:54 PM
SQl Injection through ASP and MS SQl 2000 cancer10 Classic ASP Databases 1 October 27th, 2007 03:21 AM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 11:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.