|SQL injection .NET|
SQL injection .NET
Mar. 13th, 2013 @ 03:14 pm
The pentesters told use that the following code is vulnerable to SQL injection in our e-store:
create procedure dbo.uspBeAfraidBeVeryAfraid ( @p1 varchar(64) )
SET NOCOUNT ON
declare @sql varchar(512)
set @sql = 'select * from ' + @p1
How I should fix the issue?
|Date:||March 13th, 2013 03:17 pm (UTC)|| |
when you click an item it has an id. P1 is the item's id. In the url will show as ?id=1
|Date:||March 13th, 2013 03:22 pm (UTC)|| |
hm... is the id equal to a table name? because you need a table name after "select * from ". are your table names coming from ids of html elements?
Yes, this. I don't understand this function.
But in general, use parameterized SQL and do not make your SQL out of concatenated strings.
|Date:||March 13th, 2013 04:48 pm (UTC)|| |
1. don't use dynamic SQL.
2. use parameters.
3. read items 1 & 2.
|Top of Page
||Powered by LiveJournal.com|