• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 757
  • Last Modified:

Passing a SQL Query to another page Using a Session variable ASP

On my classic asp site, I'm passing a sql query to another page using a session variable:

Something like:

query = "select * from mytable where j=1"
session("SearchString")= query
response.redirect("viewresults.asp")

Then on the viewresults.asp page:
query = session("SearchString")

I was wondering if there are any security issues with doing this.
I don't want any chance of the SQL being visible to visitors.


Thanks for your help!!!
0
slightlyoff
Asked:
slightlyoff
1 Solution
 
sammySeltzerCommented:
They are not going to see the sql per se. It is server side code and that should be the least of your problems.

However, I am hoping that you are not passing the hardcoded value of 1.

You should do something to protect against sql inject attack.

Something like this:


        intVal = Replace(intval, "'", "''", 1, -1, 1)
Then if you really have to hardcode the value, then
intval =  1

Then your question becomes:

query = "select * from mytable where j=" &intval

Rest of your query stays the same.
0
 
slightlyoffAuthor Commented:
actually, I was passing a much longer query with several "where" clauses.   I just did the j=1 as an example.  Normally the value for "j" would be text.

when the user does a search, the information they type in to the search-box is scrubbed and validated before being added to the SQL statement.  Then the SQL statment is assigned to the session variable and passed to the results page as before.

Does that make sense?

Thanks for your help & quick response!
0
 
sammySeltzerCommented:
Ok, same concept.

Assuming you are passing 5 fieldnames in the WHERE clause, then something similar:

 intVal = Replace(intval, "'", "''", 1, -1, 1)
 strVar1 = Replace(strVar1 , "'", "''", 1, -1, 1)
 strVar2 = Replace(strVar2 , "'", "''", 1, -1, 1)
 strVar3 = Replace(strVar3 , "'", "''", 1, -1, 1)
 strVar4 = Replace(strVar4 , "'", "''", 1, -1, 1)

Then since you are passing values of text variety, then:

query = "select * from mytable where j=" & intval & " AND f='" &strVar1& "' and ...
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Michel SakrCommented:
If it is a server side variable (Session variable) then there is no issues from SQL injections.
Injections are an issue in a get request or client side variables

http://www.w3schools.com/tags/ref_httpmethods.asp
0
 
sammySeltzerCommented:
Please don't confuse the OP.

Session variable and sql injections attack are not related.

You can use Session if you don't want to expose sensitive information in the url.

Preventing SQL Injection attack is a different animal.

You either use the approach I showed or use parametized query to avoid shadowing.
0
 
ArkCommented:
Why not just use <form action="viewresults.asp"> and move query building procedure to target page?
0
 
sybeCommented:
It is a bad idea to use a session object for this. Mainly because the query is not related to the session, but to the request. What is the same user has multiple windows open on your site? All those windows share the same Session.

I have seen sites which worked like this. I had one window open and got page 1 of a  search result. In another window I searched for a different word. Then I return to window 1 and did "next page", expecting I would get the next page of search #1. In stead I got page 2 of search #2. It was all so mixed up.

What seems like a good solution is to use the same function to build a querystring in your pages. Put the code for that function in an include.
0
 
slightlyoffAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for slightlyoff's comment #a39594619

for the following reason:

Thank you for your help!  I had to step away from the project, so sorry for the delay in responding.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now