Classic ASP SQL Injection

Question

I recently inherited a classic asp website with a ton of inline SQL insert statements that are vulnerable to SQL injection attacks.

These insert statements are executed via the ADO command object.

Will setting the ADO Command Object's Prepared property to true ensure that the query is parameterized before execution, thus mitigating the risk of SQL injection?

Answer 1

What I would suggest you do is write a function to sanitize the user input, then run all the request variables through that. When I wrote mine I did stuff like:

• escape single quotes,
• remove ; and other special characters and
• make sure that you couldn't -- (comment) out the end of the statement.

Most SQL injection would try something like ' or 1=1 or a=' so the SQL code would be :

SELECT * from mytable where mycolumn = '' or 1=1 or a=''

So escaping single quotes is the real big one you need to worry about.

Answer 2

Here's another good link and example.

http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

In the past we just created a couple functions to handle any outside input for SQL injections and XSS. Then slowly we converted all the inline SQL to stored procedures.

Answer 3

You can also look at an asp classic open source project called 'Owasp stinger'. That not only helps with Sql injection, but header injection and lots of other security issues common to all web apps.

http://www.owasp.org/index.php/Classic_ASP_Security_Project

Answer 4

This Link should prove useful.

Classic ASP SQL Injection Protection

Answer 5

No, if you build a SQL string with values that you get directly from "outside", then a "prepared statement" will not help you.

a

sSQL = "SELECT * from mytable where mycolumn = '" + querystring("value") + "'"

is still asking for trouble. The only way to solve this is by using parameters in your query.