?

Log in

 

SQL injection .NET - Web Developer

About SQL injection .NET

Previous Entry SQL injection .NET Mar. 13th, 2013 @ 03:14 pm Next Entry
The pentesters told use that the following code is vulnerable to SQL injection in our e-store:

create procedure dbo.uspBeAfraidBeVeryAfraid ( @p1 varchar(64) )
AS
SET NOCOUNT ON
declare @sql varchar(512)
set @sql = 'select * from ' + @p1
exec(@sql)
GO


How I should fix the issue?
Leave a comment
[User Picture Icon]
From:valera
Date:March 13th, 2013 03:17 pm (UTC)
(Link)
What is in p1?
[User Picture Icon]
From:kelsie_85
Date:March 13th, 2013 03:20 pm (UTC)
(Link)
when you click an item it has an id. P1 is the item's id. In the url will show as ?id=1
[User Picture Icon]
From:valera
Date:March 13th, 2013 03:22 pm (UTC)
(Link)
hm... is the id equal to a table name? because you need a table name after "select * from ". are your table names coming from ids of html elements?
[User Picture Icon]
From:leftyjew
Date:March 14th, 2013 05:02 pm (UTC)
(Link)
Yes, this. I don't understand this function.
But in general, use parameterized SQL and do not make your SQL out of concatenated strings.
[User Picture Icon]
From:cherdt
Date:March 13th, 2013 04:48 pm (UTC)
(Link)
If the id is always a number, you could verify that P1 is numeric before running the query.

There is a lot of documentation available on SQL injection, a good place to start might be Microsoft's own docs:
http://msdn.microsoft.com/en-us/library/ff648339.aspx

OWASP has some great general documentation on SQL injection:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[User Picture Icon]
From:denisioru
Date:March 13th, 2013 04:56 pm (UTC)
(Link)
1. don't use dynamic SQL.
2. use parameters.
3. read items 1 & 2.
(Leave a comment)
Top of Page Powered by LiveJournal.com