471,829 Members | 1,919 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,829 software developers and data experts.

SQL attack via IIS?

I am seeing log entries that have SQL statements embedded in the actual
forms.
Jul 19 '05 #1
2 1167
It is a old hack... E.g.

Let us say you have a "dynamic SQL" which goes something like

formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID

conn.Execute(sSQL)

Just imagine someone enters this: "5; DELETE FROM myTable"

the final SQL will be

SELECT * from myTable WHERE Id=5; DELETE FROM myTable

which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.

To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Kevin Hill" <no****@nospam.com> wrote in message
news:IFmKb.28029$i55.13481@fed1read06...
I am seeing log entries that have SQL statements embedded in the actual
forms.

Jul 19 '05 #2
-----Original Message-----
It is a old hack... E.g.

Let us say you have a "dynamic SQL" which goes something like
formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID

conn.Execute(sSQL)

Just imagine someone enters this: "5; DELETE FROM myTable"

the final SQL will be

SELECT * from myTable WHERE Id=5; DELETE FROM myTable

which is a valid SQL statement. The user should still need to know the tablenames, but it is possible that the hacker might be able to delete systemtables.

To get around this, use stored procedures when possible, with parameters. Atthe least, validate the input. Hope that helps.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
"Kevin Hill" <no****@nospam.com> wrote in message
news:IFmKb.28029$i55.13481@fed1read06...
I am seeing log entries that have SQL statements embedded in the actual forms.

.


Check this link out
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

Mike
Jul 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by opt_inf_env | last post: by
5 posts views Thread by TCORDON | last post: by
reply views Thread by candra | last post: by
6 posts views Thread by K. | last post: by
4 posts views Thread by PI | last post: by
reply views Thread by YellowAndGreen | last post: by
aboka
reply views Thread by aboka | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.