Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ken Schaefer (kenadOpenStatic.com)
Date: Wed Jun 05 2002 - 21:37:23 CDT
is another good paper on SQL Injection attacks.
[To the original poster]
If you're using ASP/ADO & SQL Server, then I'd suggest your best defence is:
a) Use stored procedures for all DB tasks. Do *not* use EXEC() to execute
b) Use the ADO Command Object (and typed Parameter objects) to interact with
the stored procedures.
c) Do not grant any SQL Server permissions to the account that is used to
access the DB (eg do not allow datareader/writer), instead give execute
permissions to the Public role to the sprocs in (a).
Sure, this is a little bit more work, but it means:
a) you don't have to worry about malicious SQL statements being injected
into your code
b) even if (a) does not hold any damage will be limited to information that
is returnable by your sprocs - there is no way to execute any other
arbitrary SQL statement
From: "Cedric Malecot" <cedric.malecotclub-internet.fr>
Subject: RE: inputvalidation against sql-injection
: A good doc about sql injection :
: -----Message d'origine-----
: De: Thomas Springer [SMTP:tuevserveraudit.net]
: Date: mercredi 5 juin 2002 15:13
: A: webappsecsecurityfocus.com
: Objet: inputvalidation against sql-injection
: a question about input validation in .asp-pages:
: SQL = "SELECT CID FROM Customer WHERE C_NO = '" &
: Replace(Session("User"),"'","''") & "'"
: replaces a single ' with '', thus preventing sql-injection.
: is this input-validation enough to keep people away from using things like
: ' and 1=1--
: or are there ways to get round this input-validation and inject sql-code
: a iis/mssql-server ?
: Thomas Springer