Solved

Passing a SQL Query to another page Using a Session variable ASP

Posted on 2013-10-23
8
711 Views
Last Modified: 2013-11-12
On my classic asp site, I'm passing a sql query to another page using a session variable:

Something like:

query = "select * from mytable where j=1"
session("SearchString")= query
response.redirect("viewresults.asp")

Then on the viewresults.asp page:
query = session("SearchString")

I was wondering if there are any security issues with doing this.
I don't want any chance of the SQL being visible to visitors.


Thanks for your help!!!
0
Comment
Question by:slightlyoff
8 Comments
 
LVL 28

Accepted Solution

by:
sammySeltzer earned 500 total points
ID: 39594549
They are not going to see the sql per se. It is server side code and that should be the least of your problems.

However, I am hoping that you are not passing the hardcoded value of 1.

You should do something to protect against sql inject attack.

Something like this:


        intVal = Replace(intval, "'", "''", 1, -1, 1)
Then if you really have to hardcode the value, then
intval =  1

Then your question becomes:

query = "select * from mytable where j=" &intval

Rest of your query stays the same.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39594619
actually, I was passing a much longer query with several "where" clauses.   I just did the j=1 as an example.  Normally the value for "j" would be text.

when the user does a search, the information they type in to the search-box is scrubbed and validated before being added to the SQL statement.  Then the SQL statment is assigned to the session variable and passed to the results page as before.

Does that make sense?

Thanks for your help & quick response!
0
 
LVL 28

Expert Comment

by:sammySeltzer
ID: 39594983
Ok, same concept.

Assuming you are passing 5 fieldnames in the WHERE clause, then something similar:

 intVal = Replace(intval, "'", "''", 1, -1, 1)
 strVar1 = Replace(strVar1 , "'", "''", 1, -1, 1)
 strVar2 = Replace(strVar2 , "'", "''", 1, -1, 1)
 strVar3 = Replace(strVar3 , "'", "''", 1, -1, 1)
 strVar4 = Replace(strVar4 , "'", "''", 1, -1, 1)

Then since you are passing values of text variety, then:

query = "select * from mytable where j=" & intval & " AND f='" &strVar1& "' and ...
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 20

Expert Comment

by:Silvers5
ID: 39596081
If it is a server side variable (Session variable) then there is no issues from SQL injections.
Injections are an issue in a get request or client side variables

http://www.w3schools.com/tags/ref_httpmethods.asp
0
 
LVL 28

Expert Comment

by:sammySeltzer
ID: 39596238
Please don't confuse the OP.

Session variable and sql injections attack are not related.

You can use Session if you don't want to expose sensitive information in the url.

Preventing SQL Injection attack is a different animal.

You either use the approach I showed or use parametized query to avoid shadowing.
0
 
LVL 28

Expert Comment

by:Ark
ID: 39599580
Why not just use <form action="viewresults.asp"> and move query building procedure to target page?
0
 
LVL 28

Expert Comment

by:sybe
ID: 39613490
It is a bad idea to use a session object for this. Mainly because the query is not related to the session, but to the request. What is the same user has multiple windows open on your site? All those windows share the same Session.

I have seen sites which worked like this. I had one window open and got page 1 of a  search result. In another window I searched for a different word. Then I return to window 1 and did "next page", expecting I would get the next page of search #1. In stead I got page 2 of search #2. It was all so mixed up.

What seems like a good solution is to use the same function to build a querystring in your pages. Put the code for that function in an include.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39642445
I've requested that this question be closed as follows:

Accepted answer: 0 points for slightlyoff's comment #a39594619

for the following reason:

Thank you for your help!  I had to step away from the project, so sorry for the delay in responding.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
start a process from a service 3 31
location of a form 2 24
Optimize the query 5 43
SSRS 2016 Rendering HTML tables 3 25
Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question