Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Passing a SQL Query to another page Using a Session variable ASP

Posted on 2013-10-23
8
Medium Priority
?
742 Views
Last Modified: 2013-11-12
On my classic asp site, I'm passing a sql query to another page using a session variable:

Something like:

query = "select * from mytable where j=1"
session("SearchString")= query
response.redirect("viewresults.asp")

Then on the viewresults.asp page:
query = session("SearchString")

I was wondering if there are any security issues with doing this.
I don't want any chance of the SQL being visible to visitors.


Thanks for your help!!!
0
Comment
Question by:slightlyoff
8 Comments
 
LVL 29

Accepted Solution

by:
sammySeltzer earned 2000 total points
ID: 39594549
They are not going to see the sql per se. It is server side code and that should be the least of your problems.

However, I am hoping that you are not passing the hardcoded value of 1.

You should do something to protect against sql inject attack.

Something like this:


        intVal = Replace(intval, "'", "''", 1, -1, 1)
Then if you really have to hardcode the value, then
intval =  1

Then your question becomes:

query = "select * from mytable where j=" &intval

Rest of your query stays the same.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39594619
actually, I was passing a much longer query with several "where" clauses.   I just did the j=1 as an example.  Normally the value for "j" would be text.

when the user does a search, the information they type in to the search-box is scrubbed and validated before being added to the SQL statement.  Then the SQL statment is assigned to the session variable and passed to the results page as before.

Does that make sense?

Thanks for your help & quick response!
0
 
LVL 29

Expert Comment

by:sammySeltzer
ID: 39594983
Ok, same concept.

Assuming you are passing 5 fieldnames in the WHERE clause, then something similar:

 intVal = Replace(intval, "'", "''", 1, -1, 1)
 strVar1 = Replace(strVar1 , "'", "''", 1, -1, 1)
 strVar2 = Replace(strVar2 , "'", "''", 1, -1, 1)
 strVar3 = Replace(strVar3 , "'", "''", 1, -1, 1)
 strVar4 = Replace(strVar4 , "'", "''", 1, -1, 1)

Then since you are passing values of text variety, then:

query = "select * from mytable where j=" & intval & " AND f='" &strVar1& "' and ...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 20

Expert Comment

by:Michel Sakr
ID: 39596081
If it is a server side variable (Session variable) then there is no issues from SQL injections.
Injections are an issue in a get request or client side variables

http://www.w3schools.com/tags/ref_httpmethods.asp
0
 
LVL 29

Expert Comment

by:sammySeltzer
ID: 39596238
Please don't confuse the OP.

Session variable and sql injections attack are not related.

You can use Session if you don't want to expose sensitive information in the url.

Preventing SQL Injection attack is a different animal.

You either use the approach I showed or use parametized query to avoid shadowing.
0
 
LVL 28

Expert Comment

by:Ark
ID: 39599580
Why not just use <form action="viewresults.asp"> and move query building procedure to target page?
0
 
LVL 28

Expert Comment

by:sybe
ID: 39613490
It is a bad idea to use a session object for this. Mainly because the query is not related to the session, but to the request. What is the same user has multiple windows open on your site? All those windows share the same Session.

I have seen sites which worked like this. I had one window open and got page 1 of a  search result. In another window I searched for a different word. Then I return to window 1 and did "next page", expecting I would get the next page of search #1. In stead I got page 2 of search #2. It was all so mixed up.

What seems like a good solution is to use the same function to build a querystring in your pages. Put the code for that function in an include.
0
 
LVL 1

Author Comment

by:slightlyoff
ID: 39642445
I've requested that this question be closed as follows:

Accepted answer: 0 points for slightlyoff's comment #a39594619

for the following reason:

Thank you for your help!  I had to step away from the project, so sorry for the delay in responding.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
Loops Section Overview
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question