Reputation: 33
Does this open the door for SQL Injection?
Setting my var:
Foo = request("Bar")
Building SQL Query:
John.Source = "SELECT ID, Name FROM dbo.USER where Name = '"&Foo&"' and ID = '1'"
I found this in someones project, does this open the door for SQLi ?
Upvotes: 1
Views: 134
Answers (2)
Reputation: 1274
Yes it is. You need to sanitise the value before inserting it into the query like that. Or use parameterised queries, which is a safer option.
Upvotes: 1
Reputation: 30498
Absolutely. request("Bar") will take parameters off the Request.QueryString or the Request.Form collection.
This means that you can in theory tag the following onto the querystring:
'; delete * from dbo.USER; select * from user where name='
Which will give you a query of
SELECT ID, Name FROM dbo.USER where Name = ''; delete * from dbo.USER; select * from user where name='' and ID = '1'
As one of the commenters said, use parameterized queries instead.
If this really isn't an option then be sure to escape values obtained from the Request collection. This link may help: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
Upvotes: 6
Related Questions
- SQL Injection Is this Good
- Is injection attack possible on the following code?
- SQL Injection vulnerablities in ASP script
- Can this be victim of sql injection
- Classic ASP SQL Injection
- MS SQL Query Is this Safe?
- Do I need to protect my ASP site from SQL Injections, when I am using parameterized queries?
- Is this safe from sql injection?
- Is it a SQL injection?
- SQL injection on Classic ASP pages with parameterized queries: text fields