I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?
7  2413 
Thirsty Traveler wrote: I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?
I don't think query string is necessarily a security risk on its own.
Form fields are going to be vulnerable to the same kind of brute forcing
as the query string.
One thing that makes the the query string a little less secure is that
browsers will store it in their history. Don't use the query string for
usernames and passwords.
The query string isn't a good place to store variables. If you can
store data in the session or viewstate that would be a much better location.
And, in general, never trust anything from the browser.
-David
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
Thirsty Traveler wrote: I have a question regarding the use of guery string variables. I understand
this can be a security risk subject to "brute force" attacks. Is this true
and, if so, what is the proper way to handle it? Should they never be used?
Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright. Like the guy above me said, just don't use
query strings for sensitive data.
We use stored procedures extensively. I am being told that any query string
variables have the potential to break a site and cause server errors.
"KBuser" <Ky********@gmail.com> wrote in message
news:11**********************@u72g2000cwu.googlegr oups.com...
Thirsty Traveler wrote: I have a question regarding the use of guery string variables. I
understand
this can be a security risk subject to "brute force" attacks. Is this
true
and, if so, what is the proper way to handle it? Should they never be
used?
Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright. Like the guy above me said, just don't use
query strings for sensitive data.
Again, it depends on what data your query strings represent, but if you
look around at various websites, amazon for instance, there are many
different sites which use query strings.
As far as breaking a site goes, if the use of a query string 'causes
your site to go down for any period of time, you've probably done
something horribly wrong.
What are you going to be using these strings for?
Thus wrote KBuser, Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I
understand this can be a security risk subject to "brute force"
attacks. Is this true and, if so, what is the proper way to handle
it? Should they never be used?
Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.
[...]
That has nothing to do with Stored Procedures.
You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.
Cheers,
--
Joerg Jooss ne********@joergjooss.de
Right, I mentioned using stored procedures for the simple reason of
parameters. While I'm aware you can use params without stored_procs, if
my understanding is correct, SPs are less vulnerable to injection
attacks, and other such security risks.
Joerg Jooss wrote: Thus wrote KBuser,
Thirsty Traveler wrote:
I have a question regarding the use of guery string variables. I
understand this can be a security risk subject to "brute force"
attacks. Is this true and, if so, what is the proper way to handle
it? Should they never be used?
Just use stored procedures instead of in-line SQL statements, and
you'll probably be alright.
[...]
That has nothing to do with Stored Procedures.
You need to make sure that you're not constructing SQL statements by simple
string concatenation, but use parameters instead when using Dynamic SQL.
Cheers,
--
Joerg Jooss
ne********@joergjooss.de
You can't really trust any data that comes from an external source, and
that includes data submitted on the querystring of posted in a form.
Both are easy to spoof. It's fine to use the querystring, but make
sure you check and validate the data before using it, and make sure
unexpected values won't break your application, or worse, cause a
security problem.
A common example of the problem with this is the SQL inject attack.
For example, consider:
string sql = "SELECT * FROM people WHERE name='" +
Request.QueryString["name"] + "'";
What is the value of your name parameter is "; DELETE from people;"?
Then the user has just deleted all the data from your people table.
HTH,
Chris
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Pack Fan |
last post by:
I've noticed that session variables will persist on Mac IE even after all
browser windows have been closed. One must quit the program to clear the
session variables. This presents a security risk...
|
by: shank |
last post by:
Per a previous suggestion, I'm trying to use a parametized query in Access
2002. The query functions properly in Access. Now I'm trying to call it from
ASP. I'm using code I found at...
|
by: tshad |
last post by:
Can you do a search for more that one string in another string?
Something like:
someString.IndexOf("something1","something2","something3",0)
or would you have to do something like:
if...
|
by: Charlie |
last post by:
Hi:
I'm storing my dB connection in web.config file. Since it will be easily
read by opening file, what is a good way to secure it?
Thanks,
Charlie
|
by: Matt |
last post by:
Is there a way to retrieve the Windows Environment Variables (Such as
User ID) with Javascript in IE?
|
by: wizofaus |
last post by:
I previously posted about a problem where it seemed that changing the
case of the word "BY" in a SELECT query was causing it to run much much
faster.
Now I've hit the same thing again, where...
|
by: Frawls |
last post by:
Hi
I Am am having problems with a stored Procedure that i wrote.
Basically whats happening is that the Stored procedure Runs fine when i
EXECUTE it in SQL Query analyzer.
But when i debug...
|
by: R.Rafii |
last post by:
Hi,
I have a simple (?) question for you all experts.
I have a button that performs a query on my SQL and fill a datagrid on
the form
The code:
Dim sconn As New SqlConnection()...
|
by: Bennett Haselton |
last post by:
I'm moving a bunch of PHP scripts from a server where they ran on
PHP4, to a new server with PHP5.
On the old server, variables in the query string would be
automatically instantiated in the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
