Sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP
code; however I need more information for my particular case. I
don't know how to get my cursor type and location settings into the
new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append
Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page
(although secured from SQL injection) is not working properly.
Thanks,
--Jen
--Jen
The new snippet is not vulnerable to SQL injection. It uses a
command
object and actual defined parameters, so you're safe. You
cannot change the
cursor type or location on that object.
"jennday" <[email protected]> wrote in
message
news:f85omh$ngg$[email protected]..
> Our web server was attacked yesterday by SQL injection.
So I quickly
> learned
> about the holes in the code that was generated by
Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the
ASP code; however
> I
> need more information for my particular case. I don't
know how to get my
> cursor type and location settings into the new code.
Similar Messages
-
Lightswitch Security, Protection against SQL Injection attacks etc.
Hi all,
I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
Is anyone aware of such documentation? I found this but it barely scratches the surface:
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Thanks for any help, I am amazed that it is so difficult to find?LS is a tool built in top of other technologies including Entity Framework.
Here is a security doc about EF.
http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
LS uses Linq to Entities and therefore is not susceptible to SQL injection.
HTH,
Josh
PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier. In that case, the web.config which contains connection strings is on the client machine, which is a risk. Here is a discussion related
to db security & 2 vs 3-tier.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
After an SQL injection attack I followed the advice to use
cfqueryparam in my cfquery statements. Unfortunatley this does not
seem to have worked as many records in my database have again been
appended with scripts linking to javascript files on another
website.
I haven't coded in Coldfusion in a while and would really
appreciate it if someone could take a look at the code of one of my
pages and let me know if I have missed anything or miss coded the
cfqueryparam tag.
Thanks in advance
NeilYou can add the following code to your application file.
<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">
<!--- CHECK FORM VARIABLES --->
<cfloop collection="#form#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(form)>
<cfabort>
</cfif>
</cfloop>
<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(url)>
<cfabort>
</cfif>
</cfloop>
Good luck
Mamdoh
P.S: The credit for the script go to sys-con.com -
Preventing Sql Injection Attacks
Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???
It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
Cheers, APC -
Preventing sql injection attack
string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
OleDbConnection myConnection9 = new OleDbConnection(objConn9);
string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
myCommand9.Parameters.Add(":username", txtUsername.Text);
myCommand9.Parameters.Add(":password", txtPassword.Text);
myConnection9.Open();
myCommand9.ExecuteNonQuery();
myConnection9.Close();
i'm using this code to try to remove the problem of
users entering a comma or an semi colon and throwing off my query, but its not working...
is there an easy way to insert text values into oracle 8i
that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.netI may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
It is only when concatenating a string together to make a sql statement that injection attacks can occur.
See
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
and search for injection.
Or just go to
http://asktom.oracle.com
and search for "sql injection bind variable" for lots of other references. -
Need help in transcation code ime0
I need help in transaction code ime0. I mean to say what is this TCode doing? What different Drill-down program means? Where I can use this report?
Regards,
SubhasishHi
Please check the link for help
<a href="http://help.sap.com/saphelp_47x200/helpdata/EN/5c/8db33f555411d189660000e829fbbd/frameset.htm">CA - Drilldown Reporting</a>
Hope it helps
Anirban -
I need help with this code error "unreachable statement"
the error_
F:\Java\Projects\Tools.java:51: unreachable statement <-----------------------------------------------------------------------------------------------------------------THIS
int index;
^
F:\Java\Projects\Tools.java:71: missing return statement
}//end delete method
^
F:\Java\Projects\Tools.java:86: missing return statement
}//end getrecod
^
3 errors
import java.util.*;
import javax.swing.*;
import java.awt.*;
public class Tools//tool class
private int numberOfToolItems;
private ToolItems[] toolArray = new ToolItems[10];
public Tools()//array of tool
numberOfToolItems = 0;
for(int i = 0; i < toolArray.length; i++)//for loop to create the array tools
toolArray[i] = new ToolItems();
}//end for loop
}//end of array of tools
public int search(int id)//search mehtod
int index = 0;
while (index < numberOfToolItems)//while and if loop search
if(toolArray[index].getID() == id)
return index;
else
index ++;
}//en while and if loop
return -1;
}//end search method
public int insert(int id, int numberInStock, int quality, double basePrice, String nm)//insert method
if(numberOfToolItems >= toolArray.length)
return 0;
int index;
index = search(id); <-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HERE
if (index == -1)
toolArray[index].assign(id,numberInStock, quality, basePrice,nm);
numberInStock ++;
return 1;
}//end if index
}//end if toolitem array
return -1;
}//end insert method
public int delete(/*int id*/)//delete method
}//end delete method
public void display()//display method
for(int i = 0; i < numberOfToolItems; i++)
//toolArray.display(g,y,x);
}//end display method
public String getRecord(int i)//get record method
// return toolArray[i].getName()+ "ID: "+toolArray[i].getID()
}//end getrecod
}//end class
Edited by: ladsoftware on Oct 9, 2009 6:08 AM
Edited by: ladsoftware on Oct 9, 2009 6:09 AM
Edited by: ladsoftware on Oct 9, 2009 6:10 AM
Edited by: ladsoftware on Oct 9, 2009 6:11 AMladsoftware wrote:
Subject: Re: I need help with this code error "unreachable statement"
F:\Java\Projects\Tools.java:51: unreachable statement <-----------------------------------------------------------------------------------------------------------------THIS
int index;
^
F:\Java\Projects\Tools.java:71: missing return statement
}//end delete method
^
F:\Java\Projects\Tools.java:86: missing return statement
}//end getrecod
^
3 errorsThe compiler is telling you exactly what the problems are:
public int insert(int id, int numberInStock, int quality, double basePrice, String nm)//insert method
if(numberOfToolItems >= toolArray.length)
return 0; // <<== HERE you return, so everyting in the if block after this is unreachable
int index;
index = search(id); //< -----------------------------------------------------------------------------------------------------------------HERE
if (index == -1)
toolArray[index].assign(id,numberInStock, quality, basePrice,nm);
numberInStock ++;
return 1;
}//end if index
}//end if toolitem array
return -1;
}//end insert method
public int delete(/*int id*/)//delete method
// <<== HERE where is the return statement?
}//end delete method
public String getRecord(int i)//get record method
// return toolArray.getName()+ "ID: "+toolArray[i].getID() <<== HERE you commented out the return statement
}//end getrecod
}//end class -
I need help with my code..
hi guys. as the subject says I need help with my code
the Q for my code is :
write a program that reads a positive integer x and calculates and prints a floating point number y if :
y = 1 ? 1/2 + 1/3 - ? + 1/x
and this is my code
This program that reads a positive integer x and calculates
and prints a floating point number y if :
y = 1 - 1/2 + 1/3 - ? + 1/x
import java.util.Scanner; // program uses class Scanner
class Sh7q2
// main method begins execution of Java application
public static void main( String args[] )
// create Scanner to obtain input from command window
Scanner input = new Scanner( System.in );
int i = 1; // i is to control the loop
int n = 2; // n is suppose to control the number sign
int x; // a positive integer entered by the user
int m;
System.out.println("Enter a positive integer");
x = input.nextInt();
do
m = (int) Math.pow( -1, n)/i;
System.out.println(m);
n++;
i++;
while ( m >= 1/x );
} // end method main
} // end class Sh7q2 when I compile it there is no error
but in the run it tells me to enter a positive integer
suppose i entered 5
then the result is 1...
can anyone tell me what's wrong with my codeThis program that reads a positive integer x and calculates
and prints a floating point number y if :
y = 1 - 1/2 + 1/3 - ? + 1/x
import java.util.Scanner; // program uses class Scanner
class Sh7q2
// main method begins execution of Java application
public static void main( String args[] )
// create Scanner to obtain input from command window
Scanner input = new Scanner( System.in );
int i = 1; // i is to control the loop
int n = 1; // n is suppose to control the number sign
int x; // a positive integer entered by the user
double m;
int a = 1;
double sum = 0;
System.out.println("Enter a positive integer");
x = input.nextInt();
for ( i = 1; a <= x; i++)
m = Math.pow( -1, n+1)/i;
sum = sum + m;
n++;
a++;
System.out.print("y = " + sum);
} // end method main
} // end class Sh7q2is it right :S -
I Need help changing my name on lipad and iPhone to sync. I have two different name1 is from my laptop and the other is from iPad ,so I can't sync iTunes. Please help!!!!!!
Plug the iphone in and go to the music tab in the iphone,not your itunes library.There will be a button in the borrom right that says autofill. Click that and it should thransfer all your music. It worked for me,and i had the same problem.
-
Guys, I have forgotten my security question answers, and the rescue email I placed in with my apple id has been closed down as well (it was a university id, when I graduated, the email service expired). I need help changing my password.
The Three Best Alternatives for Security Questions and Rescue Mail
1. Use Apple's Express Lane.
Go to https://expresslane.apple.com ; click 'See all products and services' at the
bottom of the page. In the next page click 'More Products and Services, then
'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
ID security questions' and click 'Continue'.
2. Call Apple Support in your country: Customer Service: Contact Apple support.
3. Rescue email address and how to reset Apple ID security questions.
A substitute for using the security questions is to use 2-step verification:
Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID. -
i need help changing my security information because i forgot it and i clicked forgot your answers on the apple website and its sopost to send me an email saying how to reset it but i never got an email.
Contact iTunes support:
http://www.apple.com/support/itunes/contact/ -
Need Help on this Code Immediately
Hi Friends,
Iam very new to java.
I have a Java Code that iam trying to Run. The Code Compiles fine but it fails on its 3rd Loop where it is trying to Run a report.
I have the Code part that is errorring out. Can someone please look into the code and tell me if i need to make any changes to the Code.
The Code when Executed gives an Error "The Client Did Something Wrong".
Please Help Me!!!
* Execute a report.
*@param path This is the search path to the report.
*@param format The array that contains the format options (PDF,HTML,etc...)
public void executeReport(String path,String[] format)
ParameterValue pv[] = new ParameterValue[]{};
Option ro[] = new Option[3];
RunOptionBoolean saveOutput = new RunOptionBoolean();
RunOptionStringArray rosa = new RunOptionStringArray();
RunOptionBoolean burstable = new RunOptionBoolean();
// Define that the report to save the output.
saveOutput.setName(RunOptionEnum.saveOutput);
saveOutput.setValue(true);
// What format do we want the report in: PDF? HTML? XML?
rosa.setName(RunOptionEnum.outputFormat);
rosa.setValue(format);
// Define that the report can be burst.
burstable.setName(RunOptionEnum.burst);
burstable.setValue(true);
// Fill the array with the run options.
ro[0] = rosa;
ro[1] = saveOutput;
ro[2] = burstable;
try
SearchPathSingleObject spSingle = new SearchPathSingleObject();
spSingle.setValue(path);
// Get the initial response.
AsynchReply res = reportService.run(spSingle,pv,ro);
// If it has not yet completed, keep waiting until it is done.
// In this case, we wait forever.
while (res.getStatus() != AsynchReplyStatusEnum.complete && res.getStatus() != AsynchReplyStatusEnum.conversationComplete)
res = reportService.wait(res.getPrimaryRequest(), new ParameterValue[]{}, new Option[]{});
reportService.release(res.getPrimaryRequest());
// Return the final response.
catch (Exception e)
System.out.println(e);
}Guess I was too late. Sorry
Inestead of posting you need help on code immediately how about intest posting the particular topic that you are working on. It's quite doubtful that you would be here if you didn't have a question. -
Need help with WMI code that will send output to db
'm new to WMI code writing, so I need some help with writing code that we can store on our server. I want this code to run when a user logs into their computer
and talks to our server. I also want the code to:
* check the users computer and find all installed patches
* the date the patches were installed
* the serial number of the users computer
* the computer name, os version, last boot up time, and mac address
and then have all this output to a database file. At the command prompt I've tried:
wmic qfe get description, hotfixid
This does return the patch information I'm looking for, but how do I combine that line of code with:
wmic os get version, csname, serialnumber, lastbootuptime
and
wmic nicconfig get macaddress
and then get all this to output to a database file?Thank you for the links. I checked out http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx and
found lots of good information. I also found a good command that will print information to a text file.
Basically what I'm trying to do is retrieve a list of all installed updates (Windows updates and 3rd party updates). I do like that the below code because it gives me the KB numbers for the Windows updates. I need this information so my IT co-workers &
I can keep track of which of our user computers need a patch/update installed and preferably which patch/update. The minimum we want to know is which patches / updates have been installed on which computer. If you wondering why we don't have Windows automatic
updates enable, that's because we are not allowed to.
This is my code so far.
#if you want the computer name, use this command
get-content env:computername
$computer = get-content env:computername
#list of installed patches
Get-Hotfix -ComputerName $computer#create a text file listing this information
Get-Hotfix > 'C:\users\little e\Documents\WMI help\PowerShell\printOutPatchList.txt'
I know you don't want to tell me the code that will print this out to a database (regardless if it's Access or SQL), and that's find. But maybe you can tell me this. Is it possible to have the results of this sent to a database file or do I need to go into
SQL and write code for SQL to go out and grab the data from an Excel file or txt file? If I'm understanding this stuff so far, then I suspect that it can be done both ways, but the code needs to be written correctly for this to happen. If it's true, then which
way is best (code in PowerShell to send information to SQL or SQL go get the information from the text file or Excel file)? -
Urgent Help Changing C code to Java!
Hi can anyone help me please !
I need to change the following code from C into Java!
The Project has to be done by this the Friday 26th April
< Code in C>
int textToBmsg(char abuf ,char bbuf,int bbufsize)
/*takes a text message in 7 bit ascii and converts it to
*a compressed 8-bit format.
*return-size of output string
int aidx; /* index into input string */
int bidx; /* index into output string */
int i;
int c;
char tmp[SMSTEXTSIZE];
aidx=0;
bidx=0;
while(*(abuf + aidx) != 0 && bidx < bbufsize){
c = *(abuf+aidx) & 0x7F;
switch (aidx%8){
case 0:
*(tmp + bidx)= c;
break;
case 1:
*(tmp + bidx) |= (c & 0x1)<< 7;
bidx++;
*(tmp = bidx) = c >> 1;
break;
case 2:
*(tmp + bidx) |= (c & 0x3) << 6;
bidx++;
*(tmp + bidx)= c >> 2;
break;
case 3:
*(tmp + bidx) |= (c & 0x7) << 5;
bidx++;
*(tmp + bidx)= c >> 3;
break;
case 4:
*(tmp + bidx) |= (c & 0xF) << 4;
bidx++;
*(tmp + bidx)= c >> 4;
break;
case 5:
*(tmp + bidx) |= (c & 0x1F) << 3;
bidx++;
*(tmp + bidx)= c >> 5;
break;
case 6:
*(tmp + bidx) |= (c & 0x3F) << 2;
bidx++;
*(tmp + bidx)= c >> 6;
break;
case 7:
*(tmp + bidx) |= (c & 0x7F) << 1;
bidx++;
break;
aidx++;
if ((aidx%8)!= 0 )bidx++;
itoh(aidx, bbuf, 2); /*length of umcompressed message*/
bbuf += 2;
for(i=0; i<bidx; i++){
itoh(*(tmp+i), bbuf, 2);
bbuf += 2;
return bidx*2 + 2;
</code>
Tks.in advance,
HendyJDKThanks for nothing you sad individual, if you ar not
going to offer anything constructive then please
keep your opinons to yourself, if you must know I
stuck for time and trying my best to translate this to
meet a deadline this Friday, you pompous idiot! Requesting that you refrain from cross-posting isn't pompous and doesn't identify the person who
makes the request as an idiot. As a matter of fact, he was pointing out that your question was
answered in the other posting that you made.
Rather than responding in the manner in which you did, you should have thanked him for his help!
Mark
Maybe you are looking for
-
How do I find pics I transferred to my HP laptop?
I have a Canon PowerShot digital camera.I took a bunch of pics today and transferred them to my laptop........... For some reason pics don't go automatically into a Pic folder (I've never had trouble til now; usually a screen popped up on the screen
-
Intel MacPro 10.5.8 can't restart it after iTunes update.
I can't get past the startup screen. The white screen with spinning wheel will not progress. I'm running Mac OS X 10.5.8. I accepted an update from Apple for newer version of iTunes. I needed to restart the MacPro for a reason unrelated to iTunes upd
-
RMAN BACKUP PERFORMANCE.
Hello Sir, Oracle Version : 9.2.0.1 /10.2.0.1 Operating System : ANY This is just for knowledge : What will be the performance issue if I have more than 1db (for example 10 Dbs.) and I start RMAN backups of all Dbs simultaneously and only the default
-
My lightroom 5.3 on my Windows 7 PC seems to have an on going problem as this is the second time i have contacted Adobe i have a case number does this help? I am mainly editing photos.
-
Reccomend photoshop???
hi guys, i was wondering if anyone experienced with photoshop could give me some advice. im not sure if this post is in the correct place << apologies if not. ive done a degree in multimedia technology and specalised in image engineering (mainly work