We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

URL sanitizer for SQL injection attack prevention, ASP/IIS/MS SQL

Brad Bansner
Brad Bansner asked
on
Medium Priority
1,380 Views
Last Modified: 2012-08-14
I have a large number of websites running classic ASP and MS SQL Server 2003. We had problems with SQL injection attacks several years ago. I mostly solved them by having queries such as:

qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"

qry="insert into table (column2) values (" & int(insertvalue) & )"

Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.

Surely something like this is available by now? Would really appreciate any advice.

Thank you!
Comment
Watch Question

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Brad BansnerWeb Developer

Author

Commented:
Will this help if the person is using HEX, such as:

%31%20%41%4E%44%20%41%53%43%49%49%28%4C%4F%57%45%52%28%53%55%42%53%54%52%49%4E%47%28%28%53%45%4C%45%43%54%20%54%4F%50%20%31%20%6E%61%6D%65%20%46%52%4F%4D%20%73%79%73%6F%62%6A%65%63%74%73%20%57%48%45%52%45%20%78%74%79%70%65%3D%27%55%27%29%2C%20%31%2C%20%31%29%29%29%20%3E%20%31%31%36
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2012

Commented:
P.S. There is no such animal as SQL Server 2003.  It is either 2000, 2005, 2008 or 2008-R2.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Alpesh PatelSolution Architect at TCS (SAFe®Agilist, TOGAF® Foundation, PSM I®, MCP, MCSD)
CERTIFIED EXPERT

Commented:
Please encode your querystring before send request to browser or save it to SQL Table.
Brad BansnerWeb Developer

Author

Commented:
Hello, can you briefly explain how putting these queries into a Stored Procedure would avoid these problems? Thank you.
CERTIFIED EXPERT
Top Expert 2012
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.