[thelist] Website Hacked?

Anthony Baratta anthony at baratta.com
Sat May 24 17:40:10 CDT 2008

Todd Richards wrote:
> Thanks Anthony.  I am checking so that when someone requests a store - ie.
> Store.asp?id=300 - if it's not a numeric value then they will get redirected
> to the home page.  However, I'm raw on how they could actually get data
> entered into my database.  I know it can happen - I hear about it all the
> time.  However, I'm just not sure where to start to fix it.  The "admin"
> directory is using Windows authentication rather than a database login,
> since I'm the only one who has permissions to update things.  Would that
> make a difference?  

When you fail to validate your data types, you open your SQL statements 
to manipulation. For Example:

Store.asp?id=300;DROP TABLE Store_Inventory;

Obviously they need to convert the space and the semi-colon with URL 
Encoding, but if your code does not validate the 300 string it will run 
both statements and you are hosed.

The more sophisticated hackers will encode their SQL statements like this:

Store.asp?id=300;DECLARE%20 at S%20VARCHAR(4000);SET%20 at S=CAST(0x444

This is an actual hack attempt against one of my servers. It's truncated 
  for length, but a real life example of how they do it.

Anthony Baratta

Every man takes the limits of his own field of vision for the limits of 
the world.
— Arthur Schopenhauer

More information about the thelist mailing list