Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs)

[EricSmith () WINDSOR COM (Smith, Eric V.)]

This can still be a problem even if you use stored procedures.  I've seen
code like this:

sql = "exec sp_name " & userdata

If userdata contains '0; delete from table' then you've got a problem.

The best way around this is to use parameterized queries for all data
access, including stored procedures, selects, inserts, and updates.  Never
build up sql statements from strings that include user input.

Eric.

-----Original Message-----
From: Bertrand Schmitt [mailto:bertrand.schmitt () ARKADIA COM]
Sent: Saturday, February 26, 2000 11:03 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: BID 994, MS00-010 (Site Server Commerce Edition
non-validated SQL inputs)

If you use Stored Procedure calls in your ASP pages this can't
happen!! Manually creating SQL statements within ASP is poor design :
not as efficient and secured as storing them in your database server
(as stored procedures) and making a call to them without speaking
of coding properly : you do you reuse these pieces of code?!

Within product.asp dept_id is picked up and used to construct a SQL
statement.

"select a,b,c,d,e,f,g from table where dept_id = " & Request("Dept_ID")

Further down the page a, b, c, d, e, f and g are response.writed to the
page.

Think about what happens if the URL above is modified to

http://hostname/product.asp?dept_id=100000 union select
credit_card_number,null,null,null,null,null, null from Credit_Card_table