Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: nick () CREATIVEONLINEMEDIA COM (Nick Southwell)
Date: Tue, 29 Feb 2000 11:14:09 -0000


The original problem was related to
code produced by site server wizards.

These wizards do not use SP's
It's quite a task to rewrite a whole
site as SP'ed. Maybe MS should be looking
at a move to this methodology.

In general the extra time in doing DB
access as SP's isn't justified, mainly
because people aren't aware of the issue.

Nick.

This can still be a problem even if you use stored > 
procedures.  I've seen
code like this:

sql = "exec sp_name " & userdata

If userdata contains '0; delete from table' then you've 
got a problem.

The best way around this is to use parameterized queries 
for all data
access, including stored procedures, selects, inserts, > 
and updates.  Never
build up sql statements from strings that include user > 
input.

Eric.

If you use Stored Procedure calls in your ASP pages this 
can't
happen!! Manually creating SQL statements within ASP is > 
poor design :
not as efficient and secured as storing them in your 
database server
(as stored procedures) and making a call to them without 
speaking
of coding properly : you do you reuse these pieces of 
code?!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault