WebApp Sec mailing list archives

RE: SQL Injection Basics

From: "David Cameron" <dcameron () itis-now com>
Date: Wed, 12 Feb 2003 15:10:51 +1100

I think you meant to first sanitize 
CInt(Request.QueryString("id")) to make
sure it's an integer.  If I'm not mistaken, you've given a 
perfect example
of code that is susceptible to SQL Injection mischief


By using CInt he has sanitized the data. CInt converts to an integer. & can also take integer parameters. When you run 
CInt("1 OR 1=1"), you get a type mismatch, which is a problem, but not one that means that Mark's code is vulnerable to 
SQL injection.

He should be running IsNumeric over the data first. Better yet, ADO command objects should be used for ASP, as 
suggested many times.

See the documentation (RTM) on the function CInt():

Description
Returns an expression that has been converted to a Variant of subtype Integer.
Syntax
CInt(expression)
The expression argument is any valid expression.

Remarks
In general, you can document your code using the subtype conversion functions to show that the result of some operation 
should be expressed as a particular data type rather than the default data type. For example, use CInt or CLng to force 
integer arithmetic in cases where currency, single-precision, or double-precision arithmetic normally would occur.
Use the CInt function to provide internationally aware conversions from any other data type to an Integer subtype. For 
example, different decimal separators are properly recognized depending on the locale setting of your system, as are 
different thousand separators.

If expression lies outside the acceptable range for the Integer subtype, an error occurs.

The following example uses the CInt function to convert a value to an Integer: 

Dim MyDouble, MyInt
MyDouble = 2345.5678      ' MyDouble is a Double.
MyInt = CInt(MyDouble)    ' MyInt contains 2346.


--------------------------------------------------------------------------------
 
Note  CInt differs from the Fix and Int functions, which truncate, rather than round, the fractional part of a number. 
When the fractional part is exactly 0.5, the CInt function always rounds it to the nearest even number. For example, 
0.5 rounds to 0, and 1.5 rounds to 2. 

--------------------------------------------------------------------------------
 

regards
David Cameron
nOw.b2b
dcameron () itis-now com

Current thread:

RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 11)
- RE: SQL Injection Basics Eric Appelboom (Feb 11)
  - Re: SQL Injection Basics Kevin Spett (Feb 11)
  - RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
  - Re: SQL Injection Basics Jim McGarvey (Feb 11)
    - Re: SQL Injection Basics Mark Curphey (Feb 11)
    - Re: SQL Injection Basics Jim McGarvey (Feb 12)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
  - Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 13)
- Re: SQL Injection Basics Bart McKinnley (Feb 14)