rp
asked on
Asp.Net SqlServer Injection attack
in the following example it is possible to have an sql injection attack?
To query some products for ex. the swebsite returns the following link:
http://www.mywebsite.com/products.aspx?idcat=14&index=3
After this code query some records to display:
Dim cat As String=Request.QueryString ("IdCat")
Dim Index as String=Request.QueryString ("Index")
SqlStr = "Select name,price from products where idcat=" & Cat & " and index= " & index
adapter = New SqlDataAdapter(SqlString, conn)
adapter.Fill(dataset, "Products")
How can prevent.
To query some products for ex. the swebsite returns the following link:
http://www.mywebsite.com/products.aspx?idcat=14&index=3
After this code query some records to display:
Dim cat As String=Request.QueryString
Dim Index as String=Request.QueryString
SqlStr = "Select name,price from products where idcat=" & Cat & " and index= " & index
adapter = New SqlDataAdapter(SqlString, conn)
adapter.Fill(dataset, "Products")
How can prevent.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, IMHO no.
The point is that when using a stored procedure your only sending the name of the stored procedure and any associated parameters up the wire, but using concatenated SQL you are sending the entire executable SQL script, which could be intercepted and modified along the way.
I think interception is highly unlikely but it could happen.
However, when using a stored procedure, in the event of malicious interception, you are not giving out much information about your db structure (field names, table names etc...), that's why it's considered best defence against sql injection.
Alan
The point is that when using a stored procedure your only sending the name of the stored procedure and any associated parameters up the wire, but using concatenated SQL you are sending the entire executable SQL script, which could be intercepted and modified along the way.
I think interception is highly unlikely but it could happen.
However, when using a stored procedure, in the event of malicious interception, you are not giving out much information about your db structure (field names, table names etc...), that's why it's considered best defence against sql injection.
Alan
ASKER
Even if i do not use stored procedures in some cases, using parameters in queries, has the same effect right?