Solved

Passing a SQL Query to another page Using a Session variable ASP

Posted on 2013-10-23
8
705 Views
Last Modified: 2013-11-12
On my classic asp site, I'm passing a sql query to another page using a session variable:

Something like:

query = "select * from mytable where j=1"
session("SearchString")= query
response.redirect("viewresults.asp")

Then on the viewresults.asp page:
query = session("SearchString")

I was wondering if there are any security issues with doing this.
I don't want any chance of the SQL being visible to visitors.


Thanks for your help!!!
0
Comment
Question by:slightlyoff
8 Comments
 
LVL 28

Accepted Solution

by:
sammySeltzer earned 500 total points
ID: 39594549
They are not going to see the sql per se. It is server side code and that should be the least of your problems.

However, I am hoping that you are not passing the hardcoded value of 1.

You should do something to protect against sql inject attack.

Something like this:


        intVal = Replace(intval, "'", "''", 1, -1, 1)
Then if you really have to hardcode the value, then
intval =  1

Then your question becomes:

query = "select * from mytable where j=" &intval

Rest of your query stays the same.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39594619
actually, I was passing a much longer query with several "where" clauses.   I just did the j=1 as an example.  Normally the value for "j" would be text.

when the user does a search, the information they type in to the search-box is scrubbed and validated before being added to the SQL statement.  Then the SQL statment is assigned to the session variable and passed to the results page as before.

Does that make sense?

Thanks for your help & quick response!
0
 
LVL 28

Expert Comment

by:sammySeltzer
ID: 39594983
Ok, same concept.

Assuming you are passing 5 fieldnames in the WHERE clause, then something similar:

 intVal = Replace(intval, "'", "''", 1, -1, 1)
 strVar1 = Replace(strVar1 , "'", "''", 1, -1, 1)
 strVar2 = Replace(strVar2 , "'", "''", 1, -1, 1)
 strVar3 = Replace(strVar3 , "'", "''", 1, -1, 1)
 strVar4 = Replace(strVar4 , "'", "''", 1, -1, 1)

Then since you are passing values of text variety, then:

query = "select * from mytable where j=" & intval & " AND f='" &strVar1& "' and ...
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 20

Expert Comment

by:Silvers5
ID: 39596081
If it is a server side variable (Session variable) then there is no issues from SQL injections.
Injections are an issue in a get request or client side variables

http://www.w3schools.com/tags/ref_httpmethods.asp
0
 
LVL 28

Expert Comment

by:sammySeltzer
ID: 39596238
Please don't confuse the OP.

Session variable and sql injections attack are not related.

You can use Session if you don't want to expose sensitive information in the url.

Preventing SQL Injection attack is a different animal.

You either use the approach I showed or use parametized query to avoid shadowing.
0
 
LVL 27

Expert Comment

by:Ark
ID: 39599580
Why not just use <form action="viewresults.asp"> and move query building procedure to target page?
0
 
LVL 28

Expert Comment

by:sybe
ID: 39613490
It is a bad idea to use a session object for this. Mainly because the query is not related to the session, but to the request. What is the same user has multiple windows open on your site? All those windows share the same Session.

I have seen sites which worked like this. I had one window open and got page 1 of a  search result. In another window I searched for a different word. Then I return to window 1 and did "next page", expecting I would get the next page of search #1. In stead I got page 2 of search #2. It was all so mixed up.

What seems like a good solution is to use the same function to build a querystring in your pages. Put the code for that function in an include.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39642445
I've requested that this question be closed as follows:

Accepted answer: 0 points for slightlyoff's comment #a39594619

for the following reason:

Thank you for your help!  I had to step away from the project, so sorry for the delay in responding.
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Footer for each row on Gridview 2 21
Write to a printer using vb.net 9 30
ASP/VB email question 4 35
Help with preventing downloading a zip file 10 37
A while ago, I was working on a Windows Forms application and I needed a special label control with reflection (glass) effect to show some titles in a stylish way. I've always enjoyed working with graphics, but it's never too clever to re-invent …
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question