How can I know/check that my Classic ASP website is secured from SQL injection?

Question

I got a website for maintenance that is using Classic ASP technology. Now, my client is asking if this website is secured from SQL injection.

I've tried to Microsoft Source Code Analyser for SQL Injection and I got no warning after testing.

Is there any other ways to check/verify these classic ASP source codes are secured from SQL injection attacks?

Please advise! Thanks

Answer 1

a simple way to patch your code to be sql injection free is to use the function Cint() on number:

if (request("id")<>"") then id=Cint(id)

or for strings:

if (request("str")<>"") then
 str=Replace(request("str"),"'","''")
 str=Replace(request("str"),"%","")
end if

hope this helps

Answer 2

There's not a single way to know. You could post some code and see how it looks.

The key is that you not build your SQL statements with tainted data from the outside.

If you build a statement like this

sql = "select * from whatever where id = " + id_parameter

then you are building a SQL statement with data from the outside world, and that is dangerous.

You must use parametrized queries, like this:

objCmd.CommandType = adCmdText;
objCmd.CommandText = "UPDATE members SET photo = ? WHERE memberID = ?";
objCmd.Parameters.Append(
    objCmd.CreateParameter("filename", adVarChar, adParamInput, 510, fileName));
objCmd.Parameters.Append(
    objCmd.CreateParameter("memberID", adInteger, adParamInput, 4, memberid ));
objCmd.Execute(adExecuteNoRecords);

Note that the objCmd.CommandText does not use any data from the outside. Outside data is funneled through the CreateParameter calls.