[thelist] Website Database Security
Ryan Finley
RyanF at SonicFoundry.com
Thu May 3 16:00:15 CDT 2001
<<
I am mostly looking for information on SQL Holes in forms and URL variables
along with specific ColdFusion security coding issues and server issues.
>>
OK, here's simple yet effective hack against a database-driven site:
Let's say you have a page that takes an "ID" parameter on the URL and uses
it to call custom SQL like this:
http://www.mynaivesite.com/GetProduct.asp?PID=1234
SELECT *
FROM Products
WHERE PID = Request.QueryString("PID")
Well, well, well...I'll just reformat my URL like this:
http://www.mynaivesite.com/GetProduct.asp?PID=1234%20DROP%20TABLE%20Products
Whoops! Where'd my table go!
Easy fix:
SELECT *
FROM Products
WHERE PID = CLng(Request.QueryString("PID"))
Now I get this:
"Error: Cannot convert string to CLng"
Another fix (use a stored procedure):
EXEC GetProducts Request.QueryString("PID")
CREATE PROCEDURE GetProducts(@PID int) AS
SELECT *
FROM Products
WHERE PID = @PID
RETURN
It is surprising how many sites are unprotected from this hack...especially
when you can pretty much guess what they've named the tables.
Ryan
More information about the thelist
mailing list