Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

URL sanitizer for SQL injection attack prevention, ASP/IIS/MS SQL

Posted on 2011-04-18
8
Medium Priority
?
1,350 Views
Last Modified: 2012-08-14
I have a large number of websites running classic ASP and MS SQL Server 2003. We had problems with SQL injection attacks several years ago. I mostly solved them by having queries such as:

qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"

qry="insert into table (column2) values (" & int(insertvalue) & )"

Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.

Surely something like this is available by now? Would really appreciate any advice.

Thank you!
0
Comment
Question by:bbdesign
8 Comments
 
LVL 6

Accepted Solution

by:
matija_ earned 500 total points
ID: 35419900
Function Injection(str)
      str = Replace(str,"select","")
      str = Replace(str,"drop","")
      str = Replace(str,"--","")
      str = Replace(str,"insert","")
      str = Replace(str,"delete","")
      str = Replace(str,"xp_","")
      str = Replace(str,"*","")
      str = Replace(str,"#","")
      str = Replace(str,"%","")
      str = Replace(str,"&","")
      str = Replace(str,"'","")
      str = Replace(str,"(","")
      str = Replace(str,")","")
      str = Replace(str,"/","")
      str = Replace(str,"\","")
      str = Replace(str,":","")
      str = Replace(str,";","")
      str = Replace(str,"<","")
      str = Replace(str,">","")
      str = Replace(str,"=","")
      str = Replace(str,"[","")
      str = Replace(str,"]","")
      str = Replace(str,"?","")
      str = Replace(str,"`","")
      str = Replace(str,"|","")
      Injection = str
End Function

qry="insert into table (column1) values ('" & Injection(insertvalue) & "')"

Depending on your needs, you can comment out some filters
0
 

Author Comment

by:bbdesign
ID: 35420146
Will this help if the person is using HEX, such as:

%31%20%41%4E%44%20%41%53%43%49%49%28%4C%4F%57%45%52%28%53%55%42%53%54%52%49%4E%47%28%28%53%45%4C%45%43%54%20%54%4F%50%20%31%20%6E%61%6D%65%20%46%52%4F%4D%20%73%79%73%6F%62%6A%65%63%74%73%20%57%48%45%52%45%20%78%74%79%70%65%3D%27%55%27%29%2C%20%31%2C%20%31%29%29%29%20%3E%20%31%31%36
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 1000 total points
ID: 35421019
>>Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? <<
Yeah, they are called Stored Procedures and they avoid all the string gymnastics you are going through.  Check them out and they will not cost you a dime.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35421022
P.S. There is no such animal as SQL Server 2003.  It is either 2000, 2005, 2008 or 2008-R2.
0
 
LVL 8

Assisted Solution

by:Kobe_Lenjou
Kobe_Lenjou earned 500 total points
ID: 35422165
URLScan is a possible solution: http://www.iis.net/download/UrlScan

I never used it myself, but it seems to work.
0
 
LVL 21

Expert Comment

by:Alpesh Patel
ID: 35423379
Please encode your querystring before send request to browser or save it to SQL Table.
0
 

Author Comment

by:bbdesign
ID: 35440532
Hello, can you briefly explain how putting these queries into a Stored Procedure would avoid these problems? Thank you.
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 1000 total points
ID: 35451251
The easiest and safest method of avoiding SQL Injection is using Stored Procedures that do not use Dynamic SQL.  If you do not want/unable to use Stored Procedures then at the very least use parameterized queries.  Here are some articles on the subject:
SQL Injection
http://msdn.microsoft.com/en-us/library/ms161953.aspx
Are stored procedures safe against SQL injection?
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
The Curse and Blessings of Dynamic SQL
http://www.sommarskog.se/dynamic_sql.html#SQL_injection
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question