This can still be a problem even if you use stored procedures. I've seen code like this: sql = "exec sp_name " & userdata If userdata contains '0; delete from table' then you've got a problem. The best way around this is to use parameterized queries for all data access, including stored procedures, selects, inserts, and updates. Never build up sql statements from strings that include user input. Eric. -----Original Message----- From: Bertrand Schmitt [mailto:bertrand.schmittat_private] Sent: Saturday, February 26, 2000 11:03 AM To: BUGTRAQat_private Subject: Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) If you use Stored Procedure calls in your ASP pages this can't happen!! Manually creating SQL statements within ASP is poor design : not as efficient and secured as storing them in your database server (as stored procedures) and making a call to them without speaking of coding properly : you do you reuse these pieces of code?! Within product.asp dept_id is picked up and used to construct a SQL statement. "select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID") Further down the page a, b, c, d, e, f and g are response.writed to the page. Think about what happens if the URL above is modified to http://hostname/product.asp?dept_id=100000 union select credit_card_number,null,null,null,null,null, null from Credit_Card_table
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:47 PDT