Antonio,
It's possible that the person is checking to make sure you passed
a value that can be converted to a numeric, something like this:
if IsNumeric(Request("passedID")) then
'all is well, build the SQL
sSql = "select * from myTable where ID = " &
Request("passedID")
'do some database stuff here
else
'go away, your doing something bad....
end if
Now, if the "passedID" parameter were a string that contained "1,1" it
would pass the
isNumeric() call because "1,1" is converted to "11" by VB/ASP, however
when it's
Passed to the SQL server it is not a valid numeric value so the SQL
server will
choke and give the SQL error message. So you have a hybrid form of SQL
Injection.
The proper way to do it would have been:
if IsNumeric(Request("passedID")) then
'all is well, build the SQL
sSql = "select * from myTable where ID = " &
cstr(clng(Request("passedID")))
'do some database stuff here
else
'go away, your doing something bad....
end if
Using the cstr(CLng()) functions will convert it to a numeric and back
again, effectively
Removing the SQL Injection.
Hope this helps.
Have a great day,
Dennis Hurst
-----Original Message-----
From: Securityinfos [mailto:admin_at_securityinfos.com]
Sent: Tuesday, October 29, 2002 4:32 AM
To: webappsec_at_securityfocus.com
Subject: Strange beaviour in sql injection
Conducting a pentest on a web application i discovered something
strange..
the web application corretcly replaces single quote (') with double
quote
('')
correctly checked if the value isnumeric
but inserting in the query url a value with , the application show
error
for example:
http://www.webapplication.com/show.asp?id=1,1
show the error
So, can we desume that the previous dogmas for securing a web
application
replacing quotes and checking if a value is numeric are not enough?
I'd like to know also what Kevin Spett thinks..
thanks..
Antonio Stano
Securityinfos
http://www.securityinfos.com
Received on Oct 29 2002
Intro
