By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,588 Members | 1,920 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,588 IT Pros & Developers. It's quick & easy.

Query string variables security risk

P: n/a
I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?
Apr 5 '06 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?

I don't think query string is necessarily a security risk on its own.
Form fields are going to be vulnerable to the same kind of brute forcing
as the query string.

One thing that makes the the query string a little less secure is that
browsers will store it in their history. Don't use the query string for
usernames and passwords.

The query string isn't a good place to store variables. If you can
store data in the session or viewstate that would be a much better location.

And, in general, never trust anything from the browser.

-David
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
Apr 5 '06 #2

P: n/a

Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?


Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright. Like the guy above me said, just don't use
query strings for sensitive data.

Apr 5 '06 #3

P: n/a
We use stored procedures extensively. I am being told that any query string
variables have the potential to break a site and cause server errors.

"KBuser" <Ky********@gmail.com> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...

Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I
understand
this can be a security risk subject to "brute force" attacks. Is this
true
and, if so, what is the proper way to handle it? Should they never be
used?


Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright. Like the guy above me said, just don't use
query strings for sensitive data.

Apr 5 '06 #4

P: n/a
Again, it depends on what data your query strings represent, but if you
look around at various websites, amazon for instance, there are many
different sites which use query strings.

As far as breaking a site goes, if the use of a query string 'causes
your site to go down for any period of time, you've probably done
something horribly wrong.

What are you going to be using these strings for?

Apr 6 '06 #5

P: n/a
Thus wrote KBuser,
Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I
understand this can be a security risk subject to "brute force"
attacks. Is this true and, if so, what is the proper way to handle
it? Should they never be used?

Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.

[...]

That has nothing to do with Stored Procedures.

You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.

Cheers,
--
Joerg Jooss
ne********@joergjooss.de
Apr 6 '06 #6

P: n/a
Right, I mentioned using stored procedures for the simple reason of
parameters. While I'm aware you can use params without stored_procs, if
my understanding is correct, SPs are less vulnerable to injection
attacks, and other such security risks.

Joerg Jooss wrote:
Thus wrote KBuser,
Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I
understand this can be a security risk subject to "brute force"
attacks. Is this true and, if so, what is the proper way to handle
it? Should they never be used?

Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.

[...]

That has nothing to do with Stored Procedures.

You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.

Cheers,
--
Joerg Jooss
ne********@joergjooss.de


Apr 9 '06 #7

P: n/a
You can't really trust any data that comes from an external source, and
that includes data submitted on the querystring of posted in a form.
Both are easy to spoof. It's fine to use the querystring, but make
sure you check and validate the data before using it, and make sure
unexpected values won't break your application, or worse, cause a
security problem.

A common example of the problem with this is the SQL inject attack.
For example, consider:

string sql = "SELECT * FROM people WHERE name='" +
Request.QueryString["name"] + "'";

What is the value of your name parameter is "; DELETE from people;"?
Then the user has just deleted all the data from your people table.

HTH,

Chris

Apr 9 '06 #8

This discussion thread is closed

Replies have been disabled for this discussion.