Bugtraq mailing list archives
Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)
From: nick () CREATIVEONLINEMEDIA COM (Nick Southwell)
Date: Tue, 29 Feb 2000 11:14:09 -0000
The original problem was related to code produced by site server wizards. These wizards do not use SP's It's quite a task to rewrite a whole site as SP'ed. Maybe MS should be looking at a move to this methodology. In general the extra time in doing DB access as SP's isn't justified, mainly because people aren't aware of the issue. Nick.
This can still be a problem even if you use stored >
procedures. I've seen
code like this:
sql = "exec sp_name " & userdata
If userdata contains '0; delete from table' then you've
got a problem.
The best way around this is to use parameterized queries for all data access, including stored procedures, selects, inserts, >
and updates. Never
build up sql statements from strings that include user >
input.
Eric.
If you use Stored Procedure calls in your ASP pages this can't happen!! Manually creating SQL statements within ASP is > poor design : not as efficient and secured as storing them in your
database server
(as stored procedures) and making a call to them without speaking of coding properly : you do you reuse these pieces of
code?!
Current thread:
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Feb 26)
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Jefferson Ogata (Feb 28)
- <Possible follow-ups>
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Smith, Eric V. (Feb 28)
- nmh security update Ruud de Rooij (Feb 28)
- EZshopper version 3.0 - Last followup Servio Medina (Feb 28)
- ht://Dig remote information exposure Geoff Hutchison (Feb 28)
- All the recent SQL vulnerabilities Duncan Simpson (Feb 28)
- HP Omniback remote DoS Jon (Feb 28)
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Nick Southwell (Feb 29)