Reputation: 1397
MS SQL Query Is this Safe?
I'm not experienced with these sorts of things so I would just like to ask if I was to use the code below will I be safe from a MS SQL Injection attacks / anything like that?
' OPEN DATABASE
dim objConn,objRS,objTRS,objUnit
Set objConn = Server.CreateObject("ADODB.Command")
objConn.ActiveConnection = "Driver={SQL Server};Server=MSSQLSrv;Database=DbTest;UID=blablabala;PWD=blablabala"
strQuery = "SELECT USERNAME,PASSWORD from CUSTOMERS where EMAIL=?"
objConn.CommandText=strQuery
objConn.Parameters(0) = Request.QueryString("email")
SET objRS = objConn.execute(strQuery)
Upvotes: 3
Views: 305
Answers (1)
Reputation: 51514
By using parameterisation, you protect from SQL injection.
But you don't protect from cross site scripting attacks.
Additionally, you should hash your userpassword in the database, and check for a match against the hash, rather than storing it in plain text.
Nor, by allowing the website to do a select against the customers table, is your data particularly secure. If your webserver is compromised, so is your data. One way of reducing this vulnerability is by using stored procedures rather than raw SQL in your code.
( And for your sanity and future employability, you might want to move away from classic ASP to .Net :) )
Upvotes: 1
Related Questions
- How do I run a parameterized SQL query in classic ASP? And is it secure?
- Is this SQL query, injection safe
- SQL Injection Is this Good
- Danger of SQL query being sent as a parameter?
- SQL Injection vulnerablities in ASP script
- Does this open the door for SQL Injection?
- Do I need to protect my ASP site from SQL Injections, when I am using parameterized queries?
- Is there a SQL Injection risk with this query? If so, how can I avoid it?
- Is this safe from sql injection?
- Is this code safe from SQL injections? (and why)