CODEWITHSUNDEEP
securityasp-classicsql-injection
Guilherme de Jesus Santos
Guilherme de Jesus Santos

Reputation: 5053

Do I need to protect my ASP site from SQL Injections, when I am using parameterized queries?

I received a demand to correct a ASP website that have lots of functions to protect against SQL Injection.

This website is not permitting one of our clients to register on this site.

On the name of the client there is the word "SELECT". And the functions to protect against SQL Injection are replacing the "SELECT" word for "". Surely the client didn't like when he received a letter without his name. Lol

The website is using that old Classic ASP way to access data, something like : 

strSQL = "SELECT name " & _
   "FROM MyTable " & _
             "WHERE (ID=" & itemID & ") AND (CompanyID=" & companyID & ") AND (MenuTitle LIKE '%" & titleText & "%') "
recordset.Open strSQL

So they need to use these functions to protect against SQL Injection.

I want to change it, and I'll start to use Parameterized Queries.

So, my question is: Can I securily remove these functions to protect against SQL Injection from this site, if I use parameterized queries?

Upvotes: 1

Views: 281

Answers (3)

Andy Davies
Andy Davies

Reputation: 1446

I wouldn't just rely on parameterized queries as your only form of protection against sql injection and other type of hacking attempts. Having an in-house or 3rd party maintained level of security software/code is recommended to protect against sql injection, cross site scripting, software security holes etc.

You could consider replacing their multiple functions with URLScan 3.1 to quickly and effectively protect your application from sql injection attempts at an IIS level, as well as working through your application to properly sanitize your sql statements as you/others have already proposed.

Upvotes: 1

Cheekysoft
Cheekysoft

Reputation: 35580

Using parameterised queries is a protection aganst SQL Injection in the layer between the webserver and the database, but only if every piece of user data is used in this manner.

However, you can still get SQL injection problems from inside the database layer, so ensure that you don't call any stored procedures that themselves build queries by string interpolation.

Upvotes: 3

bryanjonker
bryanjonker

Reputation: 3406

Short answer is yes.

The long answer is yes, but you still want to sanitize your inputs. Not necessarily on words like "SELECT", but non-alphanumeric characters or anything suspicious (based on use cases). Parameterized queries are an important part of security, but it's not a silver bullet.

Upvotes: 0

Related Questions