469,950 Members | 2,094 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,950 developers. It's quick & easy.

How can SQL injection attacks compromise ADODB Connections?

145 Expert 100+
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' ,  " & request.Form.Item("txtMyHTML_Field2") & " ;"
  8.  
  9. rs = commandObj.execute(sqlCMD )
But I want to know is it possible to use an SQL injection attack against a statement like this:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. rs.Open "[myTable]",commandObj,2,2
  8.  
  9. rs.AddNew
  10. rs.Fields("item") = request.Form.Item("txtMyHTML_Field1")
  11. rs.Fields("cost") = request.Form.Item("txtMyHTML_Field2")
  12. rs.update

My theory is that the above statement is not vulnerable to injection, regardless of the input field value, because the values are stored directly to the field without using dangerous risky string concatenation.

Am I right?
Jun 26 '08 #1
2 3990
DrBunchman
979 Expert 512MB
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
Jul 1 '08 #2
jhardman
3,406 Expert 2GB
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
This is the method I generally use, I think it's easier to keep track of what you are doing, I think it keeps the code cleaner, and I think it probably is safer. I can't think of any injection here that wouldn't just return an error.

On the other hand, it would probably still be a good idea to sanitize a little bit. We don't want anyone slipping a "drop table" past us, right?

Jared
Jul 1 '08 #3

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

2 posts views Thread by Martin Lucas-Smith | last post: by
2 posts views Thread by freddy | last post: by
5 posts views Thread by TCORDON | last post: by
5 posts views Thread by www.douglassdavis.com | last post: by
11 posts views Thread by howachen | last post: by
29 posts views Thread by sinbuzz | last post: by
22 posts views Thread by Voodoo Jai | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.