PDA

View Full Version : SQL Injections


Digitalosophy
October 15th, 2007, 02:25 PM
So without starting a "How to hack a website" thread, I have a question.

I'm working on this project where users upload excel files, asp reads the tabs if there is data we give them a drop down menu to choose which tab they want to use bla bla bla.

All works fine and well. However we don't have any control over what they are naming their tabs. I'm concerned through naming their tabs they may be able to do things we don't want them to do.

My SQL is string looks like this:


sql_string = sql_string & "SELECT * FROM ["&sqlCommandArray(k)&"]" & ","


Then I do a split, etc and eventually execute. What characters should I be concerned with, that can potentially do some damage?

Thanks is advance.
simplistik
October 15th, 2007, 03:13 PM
what serverside language are you using to do the processing... for PHP you can use "mysql_real_escape_string" which will eliminate a good majority of any issues you may have... but you can also just escape all HTML as well using either html_entities, or strip_tags... these are really only for the display purposes. Characters that you should be concerned with are


' " & .

but if you run mysql_real_escape_string, it'll take care of most of that crap. i think you're an asp guy, but I dunno the asp equivalents of those commands.
Digitalosophy
October 16th, 2007, 11:05 AM
Yea I'm using ASP and SQL Server. I think I'm ok, I'm trying everything I can to bomb the SQL statement and I can't break it. I'm escaping those characters you suggested and so far so good.

With that said, I'm far from a l33t haxor lol

Thanks man.
teiz77
October 18th, 2007, 04:34 AM
always try to use the "Parameters.Append" function in ASP, when you use this SQL injection is ver, very hard.

for example


Dim tableName
tableName = Request.Form("tableName")

...

cmd.CommandText = "SELECT * FROM ?"
cmd.Parameters.Append cmd.CreateParameter("param1", 200, 1, 255, tableName)

...
Charleh
October 18th, 2007, 04:43 AM
Man SQL injection rocks - I remember bringing down my mates website a few times and amending articles after echoing some of the database schema to the screen from his shoutbox :)
Digitalosophy
October 18th, 2007, 08:59 AM
always try to use the "Parameters.Append" function in ASP, when you use this SQL injection is ver, very hard.

for example


Dim tableName
tableName = Request.Form("tableName")

...

cmd.CommandText = "SELECT * FROM ?"
cmd.Parameters.Append cmd.CreateParameter("param1", 200, 1, 255, tableName)

...


I've never heard of this method, I'll look into it. Thanks!

@Charleh - If I were your friend I would have put visine in your drink :lol: