Solved

Passing a SQL Query to another page Using a Session variable ASP

Posted on 2013-10-23
8
695 Views
Last Modified: 2013-11-12
On my classic asp site, I'm passing a sql query to another page using a session variable:

Something like:

query = "select * from mytable where j=1"
session("SearchString")= query
response.redirect("viewresults.asp")

Then on the viewresults.asp page:
query = session("SearchString")

I was wondering if there are any security issues with doing this.
I don't want any chance of the SQL being visible to visitors.


Thanks for your help!!!
0
Comment
Question by:slightlyoff
8 Comments
 
LVL 28

Accepted Solution

by:
sammySeltzer earned 500 total points
Comment Utility
They are not going to see the sql per se. It is server side code and that should be the least of your problems.

However, I am hoping that you are not passing the hardcoded value of 1.

You should do something to protect against sql inject attack.

Something like this:


        intVal = Replace(intval, "'", "''", 1, -1, 1)
Then if you really have to hardcode the value, then
intval =  1

Then your question becomes:

query = "select * from mytable where j=" &intval

Rest of your query stays the same.
0
 
LVL 1

Author Comment

by:slightlyoff
Comment Utility
actually, I was passing a much longer query with several "where" clauses.   I just did the j=1 as an example.  Normally the value for "j" would be text.

when the user does a search, the information they type in to the search-box is scrubbed and validated before being added to the SQL statement.  Then the SQL statment is assigned to the session variable and passed to the results page as before.

Does that make sense?

Thanks for your help & quick response!
0
 
LVL 28

Expert Comment

by:sammySeltzer
Comment Utility
Ok, same concept.

Assuming you are passing 5 fieldnames in the WHERE clause, then something similar:

 intVal = Replace(intval, "'", "''", 1, -1, 1)
 strVar1 = Replace(strVar1 , "'", "''", 1, -1, 1)
 strVar2 = Replace(strVar2 , "'", "''", 1, -1, 1)
 strVar3 = Replace(strVar3 , "'", "''", 1, -1, 1)
 strVar4 = Replace(strVar4 , "'", "''", 1, -1, 1)

Then since you are passing values of text variety, then:

query = "select * from mytable where j=" & intval & " AND f='" &strVar1& "' and ...
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
If it is a server side variable (Session variable) then there is no issues from SQL injections.
Injections are an issue in a get request or client side variables

http://www.w3schools.com/tags/ref_httpmethods.asp
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 28

Expert Comment

by:sammySeltzer
Comment Utility
Please don't confuse the OP.

Session variable and sql injections attack are not related.

You can use Session if you don't want to expose sensitive information in the url.

Preventing SQL Injection attack is a different animal.

You either use the approach I showed or use parametized query to avoid shadowing.
0
 
LVL 27

Expert Comment

by:Ark
Comment Utility
Why not just use <form action="viewresults.asp"> and move query building procedure to target page?
0
 
LVL 28

Expert Comment

by:sybe
Comment Utility
It is a bad idea to use a session object for this. Mainly because the query is not related to the session, but to the request. What is the same user has multiple windows open on your site? All those windows share the same Session.

I have seen sites which worked like this. I had one window open and got page 1 of a  search result. In another window I searched for a different word. Then I return to window 1 and did "next page", expecting I would get the next page of search #1. In stead I got page 2 of search #2. It was all so mixed up.

What seems like a good solution is to use the same function to build a querystring in your pages. Put the code for that function in an include.
0
 
LVL 1

Author Comment

by:slightlyoff
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for slightlyoff's comment #a39594619

for the following reason:

Thank you for your help!  I had to step away from the project, so sorry for the delay in responding.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

A while ago, I was working on a Windows Forms application and I needed a special label control with reflection (glass) effect to show some titles in a stylish way. I've always enjoyed working with graphics, but it's never too clever to re-invent …
Introduction When many people think of the WebBrowser (http://msdn.microsoft.com/en-us/library/2te2y1x6%28v=VS.85%29.aspx) control, they immediately think of a control which allows the viewing and navigation of web pages. While this is true, it's a…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now