By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,616 Members | 1,184 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,616 IT Pros & Developers. It's quick & easy.

How can SQL injection attacks compromise ADODB Connections?

Expert 100+
P: 145
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' ,  " & request.Form.Item("txtMyHTML_Field2") & " ;"
  8.  
  9. rs = commandObj.execute(sqlCMD )
But I want to know is it possible to use an SQL injection attack against a statement like this:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. rs.Open "[myTable]",commandObj,2,2
  8.  
  9. rs.AddNew
  10. rs.Fields("item") = request.Form.Item("txtMyHTML_Field1")
  11. rs.Fields("cost") = request.Form.Item("txtMyHTML_Field2")
  12. rs.update

My theory is that the above statement is not vulnerable to injection, regardless of the input field value, because the values are stored directly to the field without using dangerous risky string concatenation.

Am I right?
Jun 26 '08 #1
Share this Question
Share on Google+
2 Replies


DrBunchman
Expert 100+
P: 979
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
Jul 1 '08 #2

jhardman
Expert 2.5K+
P: 3,405
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
This is the method I generally use, I think it's easier to keep track of what you are doing, I think it keeps the code cleaner, and I think it probably is safer. I can't think of any injection here that wouldn't just return an error.

On the other hand, it would probably still be a good idea to sanitize a little bit. We don't want anyone slipping a "drop table" past us, right?

Jared
Jul 1 '08 #3

Post your reply

Sign in to post your reply or Sign up for a free account.