473,320 Members | 1,916 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

How can SQL injection attacks compromise ADODB Connections?

145 Expert 100+
We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' ,  " & request.Form.Item("txtMyHTML_Field2") & " ;"
  8.  
  9. rs = commandObj.execute(sqlCMD )
But I want to know is it possible to use an SQL injection attack against a statement like this:

Expand|Select|Wrap|Line Numbers
  1. set commandObj = Server.CreateObject("ADODB.Connection")
  2. set rs = Server.CreateObject("ADODB.Recordset")
  3.  
  4. commandObj.ConnectionString = myGenericConnectionString
  5. commandObj.Open
  6.  
  7. rs.Open "[myTable]",commandObj,2,2
  8.  
  9. rs.AddNew
  10. rs.Fields("item") = request.Form.Item("txtMyHTML_Field1")
  11. rs.Fields("cost") = request.Form.Item("txtMyHTML_Field2")
  12. rs.update

My theory is that the above statement is not vulnerable to injection, regardless of the input field value, because the values are stored directly to the field without using dangerous risky string concatenation.

Am I right?
Jun 26 '08 #1
2 4286
DrBunchman
979 Expert 512MB
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
Jul 1 '08 #2
jhardman
3,406 Expert 2GB
I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

You could still validate your input against attacks to be safe though.

Jared, got any thoughts on this?

Dr B
This is the method I generally use, I think it's easier to keep track of what you are doing, I think it keeps the code cleaner, and I think it probably is safer. I can't think of any injection here that wouldn't just return an error.

On the other hand, it would probably still be a good idea to sanitize a little bit. We don't want anyone slipping a "drop table" past us, right?

Jared
Jul 1 '08 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

2
by: Martin Lucas-Smith | last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to preventing SQL injection? There seems to be little on the web that I can find on this. Martin Lucas-Smith ...
11
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
2
by: freddy | last post by:
I would like to get more information on securing my windows apps from SQL injection attacks. There is so much stuff on web apps, but I can't find info on win apps. Can you help me
5
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
5
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already...
11
by: howachen | last post by:
Hi, In many web articles, people focusing on SQL injection in the form of : e.g. /**********************************************************/ $name = "tom' UNION blah blah blah" $query =...
7
by: e_matthes | last post by:
Hello everyone, I've read enough about email validation to know that the only real validation is having a user respond to a confirmation message you've sent them. However, I want to store the...
29
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL...
22
by: Voodoo Jai | last post by:
I have a page the uses a form to pass a postcode to another page and I want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.