SQL Injection & CF code Attacks
One thing I've noticed with sites using CF is that many, many
programmers do not take into account SQL Injection and CF Form/URL
variable attacks. I've seen SO many CF pages that blow up when the
input varies in the slightest, displaying CF error messages,
datasources, variable names, etc.
Seems not enough programmers use CFTRY/CFCATCH or even know
about it. I've seen where SQL table names and datasources were
being passed in a URL!! It's frightening
Interested in everyone's BEST PRACTICES to avoid these type
of attacks.
I'll start it off with a few I use:
Use CFTRY / CFCATCH.
ALWAYS set the maxlength value on form input text boxes and
make sure the value matches the corresponding column length in your
DB. If you do not, someone can enter a huge amount of data in the
field, causing your CF routine or DB to choke.
Scope all variables, URL, Form, etc.
Use numbers/integers whenever possible for URL variable
values.
Avoid using varchar as the data type in your stored
procedures for passed URL or Form variables. Use INT instead.
Validate user input using CF before passing to your SQL, etc.
queries. Test for allowed/disallowed characters, blanks, length of
input value, etc.
Use stored procedures whenever possible.
Don't make URL or Form variable names too descriptive. ex.
?m=100 is better than ?memberID=100
In addition to the things listed above, you should never
expect the values sent from any form submission to be 100% as they
are coded. There are tons of programs out there that can be used to
intercept and alter the submitted data before it hits your server.
It is a slow process, but we are locking down any and all form
variables not just type="text" and textarea's.
If a user has the ability to alter submitted data, they can
change the values for all types of form fields (hidden, radio,
checkbox, select, button, etc...). A lot of our old code did not
take that into consideration and simply allowed the value entered
from a "predefind" (hard coded value) form type (radio, checkbox,
etc...) directly into the database without a check.
Another step is to turn off "Enable Robust Exception
Information" in the CF Administrator. This step will help in not
giving an attacker the complete SQL statement being used in your
code. Note: This is a recomended practice for all production CF
servers as it is, but it never hurts to say it. CFTRY/CFCATCH
blocks work as well to hid that info, but neither way will
prevent an attack.
You also can not rely on client side JavaScript for
validation.
CR
Similar Messages
-
SQL Injection -- DBA role..
Hi all,
I'm working as a SQL Server DBA,Now a days we are facing issue with attacks(SQL Injection),most of attacks are taken care by Firewalls but still some attacks hitting Database.
As a DBA How to check whether database got effected
Please help me by providing hints and tips to analysis SQL injection.
Thanks in advanceThere is no easy ways to detect sql injection. You should analyze activity against databases and work with developers to address it.
Basically, you can capture sql_completed/rpc_completed events in XEvent or SQL Trace and review them. Anything, which is not parameterized, could be the subject of injection attach (it depends on Client Code and implementation).
As the side note, script below provides you the list of the databases together with number of cached execution plans that were used just once. SQL Injection targets non-parameterized queries. So the databases with large number of single-used plans are more
likely to be affected. In any case, do not rely on output much - large number of single-used plans could be just the sign of bad design rather than being affected. As I said, you need to review client app code just to be sure.
select
epa.value as [DB ID],
db_name(convert(int,epa.value)) as [DB Name],
count(*) as [Single Use Plans]
from
sys.dm_exec_cached_plans p
cross apply sys.dm_exec_plan_attributes(plan_handle) AS epa
where
p.usecounts = 1 and
p.objtype in ('Adhoc','Prepared') and
epa.attribute = 'dbid'
group by
epa.value
option (recompile)
Thank you!
Dmitri V. Korotkevitch (MVP, MCM, MCPD)
My blog: http://aboutsqlserver.com -
SQL Injection - cfqueryparam and other techniques to stop abuse?
We have been having a lot of issues with SQL injection lately and so we are trying various methods to secure the data better.
First off we have been utlizing cfqueryparam on the queries that are being hit. I am also optimizing the data tables so that more maxlengths are in place.
What else can be done to improve security? I have looked up everything and anything on the internet and keep seeing the cfqueryparam.
Does changing the variables or table names make any difference? We are trying that, but I want to make sure it is not a waste of our time.
Thanks for any other suggestions.CFqueryparam is a good fist step, though you should note that it will not protect some queries. For example if you have a sort by or order by that is dynamic, cfqueryparam wont help in that case. You will need to review data and validate for that.
You should also be checking for XSS vulnarabilities.
http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in- ColdFusion
The blog above has a great number of CF sercurity related posts.
Pete Freitag has a nice security scanner that will look at your CF server and highlight any missing patches and some other issues
http://www.petefreitag.com/item/721.cfm
There are some open source projects that will also filter out common sql injection and xss attacks on a code level.
http://portcullis.riaforge.org/
Finally there are several conferences in the CF world coming up, and all surely have some security sessions. You may want to attend. -
SQL Injection from PL/SQL function.
WE have some issues with a third party application which has vulnerabilities to SQL Injection, we have delivered a proof of concept to the developers demonstrating that it is possible to return additional (unrestricted) results to the front end, we have also found the following function in the back end. Assuming that its possible to call this function (which it is) and we can pass in whatever we want and that the user has exp_full_database and imp_full_database roles granted is there anything destructive possible with the following function?
FUNCTION row_count (tab_name VARCHAR2) RETURN INTEGER AS
rows INTEGER;
BEGIN
EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || tab_name INTO rows;
RETURN rows;
END;
version 11.2.0.3, linux x86Simple example.
SQL> --// table to hack in production - we are going to nuke it
SQL> create table production_table1(
2 some_data number
3 );
Table created.
SQL> --// production code typically executes with production rights (authid definer)
SQL> create or replace function RowCount( tabName varchar2 ) return integer authid definer is
2 --// code executes with the privs of the owner of the code
3 cnt integer;
4 begin
5 execute immediate 'SELECT COUNT(*) FROM ' || tabName into cnt;
6 return( cnt );
7 end;
8 /
Function created.
SQL> --// expected use of production code
SQL> var i number
SQL> exec :i := RowCount( 'EMP' );
PL/SQL procedure successfully completed.
SQL> print i
I
14
SQL>
SQL> --// create the following in any schema that I, as hacker, have access to and the
SQL> --// right to create a procedure - and using "access/security escalation", I'm going
SQL> --// to get production code to run my code with production rights
SQL>
SQL> create or replace function InjectCode return integer authid current_user is
2 --// code executes with the privs of the caller of the code
3 pragma autonomous_transaction;
4 begin
5 execute immediate 'drop table PRODUCTION_TABLE1 purge';
6 return( 0 );
7 end;
8 /
Function created.
SQL>
SQL> --// production table is there
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
OBJECT_TYPE OBJECT_NAME
TABLE PRODUCTION_TABLE1
SQL>
SQL> --// inject my code into production code
SQL> exec :i := RowCount( 'EMP where InjectCode() = 0' );
PL/SQL procedure successfully completed.
SQL> print :i
I
14
SQL> --// production table is nuked
SQL> select object_type, object_name from user_objects where object_name = 'PRODUCTION_TABLE1';
no rows selected
SQL> -
Dreamweaver CS3 and sql injection....
Any news if Dreamweaver CS3 will have the same "problems"
brought on by the
8.0.2 update to Dreamweaver 8?
Thanks!Excellent...glad to hear it and I look forward to getting
CS3. I held off
on 8 because of the so called problems.
"Murray *ACE*" <[email protected]> wrote
in message
news:[email protected]...
> Yes, that's what I do. Honestly, I've not seen any
problems there.
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
>
http://www.dreamweavermx-templates.com
- Template Triage!
>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
> ==================
>
>
> "Pizza Good" <[email protected]> wrote in
message
> news:[email protected]...
>>I think it comes up more when you have a form and
pass the values to a
>>recordset which uses those values to query and filter
a recordset.
>>
>>
>> "Murray *ACE*"
<[email protected]> wrote in message
>> news:[email protected]...
>>>I am processing form input, which I believe is
where SQL injection comes
>>>in.
>>>
>>> --
>>> Murray --- ICQ 71997575
>>> Adobe Community Expert
>>> (If you *MUST* email me, don't LAUGH when you do
so!)
>>> ==================
>>>
http://www.dreamweavermx-templates.com
- Template Triage!
>>>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>>>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>>>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
>>> ==================
>>>
>>>
>>> "Pizza Good" <[email protected]> wrote
in message
>>> news:[email protected]...
>>>> That's good, or perhaps you are not building
the types of sites that
>>>> may encounter the so called problems?
>>>>
>>>>
>>>> "Murray *ACE*"
<[email protected]> wrote in message
>>>> news:[email protected]...
>>>>>I have to say that I've used 8.0.2 with
such things quite a bit and not
>>>>>encountered *any* of the posted problems.
>>>>>
>>>>> --
>>>>> Murray --- ICQ 71997575
>>>>> Adobe Community Expert
>>>>> (If you *MUST* email me, don't LAUGH
when you do so!)
>>>>> ==================
>>>>>
http://www.dreamweavermx-templates.com
- Template Triage!
>>>>>
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
>>>>>
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
>>>>>
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
>>>>> ==================
>>>>>
>>>>>
>>>>> "Paul Whitham AdobeCommunityExpert"
<[email protected]> wrote in
>>>>> message
news:[email protected]...
>>>>>> Using stored procedures is a good
safe guard against SQL injection
>>>>>> because you have to define your
parameter types, in much the same way
>>>>>> that the parameters in the 8.0.2
worked.
>>>>>>
>>>>>> Yes it did break a number of
extensions because the underlying code
>>>>>> was completely rewritten but it is
my understanding that most of
>>>>>> these were subsequently patched to
work with it.
>>>>>>
>>>>>> --
>>>>>> Paul Whitham
>>>>>> Certified Dreamweaver MX2004
Professional
>>>>>> Adobe Community Expert - Dreamweaver
>>>>>>
>>>>>> Valleybiz Internet Design
>>>>>> www.valleybiz.net
>>>>>>
>>>>>> "Pizza Good"
<[email protected]> wrote in message
>>>>>>
news:[email protected]...
>>>>>>>I think what he is referring to
is the sql injection "prevention"
>>>>>>>code that was introduced in the
8.0.2 update. I read a bunch of
>>>>>>>issues related to the way
recordsets were coded and that a page that
>>>>>>>was coded lets say in ASP using
8.0.1 that had used QueryString
>>>>>>>values that were passed into the
recodset for filtering/searching no
>>>>>>>longer worked. I also read that
8.0.2 "broke" a lot of extensions
>>>>>>>because of the fix.
>>>>>>>
>>>>>>> I am still using MX2004, but I'm
curious if the supposed problems
>>>>>>> that came up with 8.0.2 could be
totally avoided if a programmer
>>>>>>> used Stored Procedures?
>>>>>>>
>>>>>>> Hopefully that makes sense.
>>>>>>>
>>>>>>>
>>>>>>> "Paul Whitham
AdobeCommunityExpert" <[email protected]> wrote in
>>>>>>> message
news:[email protected]...
>>>>>>>> Most of the change that was
made to the recordset in 8.0.2 was to
>>>>>>>> eliminate SQL injections.
What specifically are you refering to as
>>>>>>>> an issue now
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paul Whitham
>>>>>>>> Certified Dreamweaver MX2004
Professional
>>>>>>>> Adobe Community Expert -
Dreamweaver
>>>>>>>>
>>>>>>>> Valleybiz Internet Design
>>>>>>>> www.valleybiz.net
>>>>>>>>
>>>>>>>> "Brendon"
<[email protected]> wrote in message
>>>>>>>>
news:[email protected]...
>>>>>>>>> Those that are beta
testing it would know - if they were doing
>>>>>>>>> serverside/sql related.
It wouldn't be speculation at all - in
>>>>>>>>> fact it would be pretty
straight forward to test.
>>>>>>>>> I'd be very surprised if
they havn't fixed the issue - in fact I
>>>>>>>>> thought it was fixed in
the 8.0.2 update, but I could be wrong.
>>>>>>>>>
>>>>>>>>> Brendon
>>>>>>>>>
>>>>>>>>> "Deaf Web Designer"
<[email protected]> wrote in
>>>>>>>>> message
news:[email protected]...
>>>>>>>>>> DW CS3 is not here
as yet.
>>>>>>>>>>
>>>>>>>>>> Only time will tell
once you have DW CS3 installed on your
>>>>>>>>>> platform and find
>>>>>>>>>> out if that is the
case.
>>>>>>>>>>
>>>>>>>>>> At this point, it is
all speculation without knowing the fact of
>>>>>>>>>> the problem.
>>>>>>>>>> Try to be a bit more
patient until official release of product
>>>>>>>>>> sometime this
>>>>>>>>>> spring.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> -
Sql injection attack - need help changing ASP code
Our web server was attacked yesterday by SQL injection. So I
quickly learned about the holes in the code that was generated by
Dreamweaver MX 2004.
I found the help article on the Adobe website to fix the ASP
code; however I need more information for my particular case. I
don't know how to get my cursor type and location settings into the
new code.
MY ORIGINAL CODE
<%
Dim Recordset1
Dim Recordset1_numRows
Set Recordset1 = Server.CreateObject("ADODB.Recordset")
Recordset1.ActiveConnection = MM_Oncology_STRING
Recordset1.Source = "SELECT * FROM dbo.Oncology_Dir WHERE
Oncology_ID = " + Replace(Recordset1__MMColParam, "'", "''") + ""
Recordset1.CursorType = 0
Recordset1.CursorLocation = 3
Recordset1.LockType = 1
Recordset1.Open()
Recordset1_numRows = 0
%>
THE NEW CODE, WHICH NEEDS TO BE FIXED TO REFLECT CURSOR TYPE
AND LOCATION ABOVE.
<%
Dim Recordset1
Dim Recordset1_cmd
Dim Recordset1_numRows
Set Recordset1_cmd = Server.CreateObject ("ADODB.Command")
Recordset1_cmd.ActiveConnection = MM_Oncology_STRING
Recordset1_cmd.CommandText = "SELECT * FROM dbo.Oncology_Dir
WHERE Oncology_ID = ?"
Recordset1_cmd.Prepared = true
Recordset1_cmd.Parameters.Append
Recordset1_cmd.CreateParameter("param1", 5, 1, -1,
Recordset1__MMColParam) ' adDouble
Set Recordset1 = Recordset1_cmd.Execute
Recordset1_numRows = 0
%>
What exactly is the 5,1,-1 in the code above?
Any help would be very much appreciated as my ASP page
(although secured from SQL injection) is not working properly.
Thanks,
--Jen
--JenThe new snippet is not vulnerable to SQL injection. It uses a
command
object and actual defined parameters, so you're safe. You
cannot change the
cursor type or location on that object.
"jennday" <[email protected]> wrote in
message
news:f85omh$ngg$[email protected]..
> Our web server was attacked yesterday by SQL injection.
So I quickly
> learned
> about the holes in the code that was generated by
Dreamweaver MX 2004.
> I found the help article on the Adobe website to fix the
ASP code; however
> I
> need more information for my particular case. I don't
know how to get my
> cursor type and location settings into the new code. -
After an SQL injection attack I followed the advice to use
cfqueryparam in my cfquery statements. Unfortunatley this does not
seem to have worked as many records in my database have again been
appended with scripts linking to javascript files on another
website.
I haven't coded in Coldfusion in a while and would really
appreciate it if someone could take a look at the code of one of my
pages and let me know if I have missed anything or miss coded the
cfqueryparam tag.
Thanks in advance
NeilYou can add the following code to your application file.
<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">
<!--- CHECK FORM VARIABLES --->
<cfloop collection="#form#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(form)>
<cfabort>
</cfif>
</cfloop>
<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) AND
refindnocase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(url)>
<cfabort>
</cfif>
</cfloop>
Good luck
Mamdoh
P.S: The credit for the script go to sys-con.com -
Lightswitch Security, Protection against SQL Injection attacks etc.
Hi all,
I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
Is anyone aware of such documentation? I found this but it barely scratches the surface:
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Thanks for any help, I am amazed that it is so difficult to find?LS is a tool built in top of other technologies including Entity Framework.
Here is a security doc about EF.
http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
LS uses Linq to Entities and therefore is not susceptible to SQL injection.
HTH,
Josh
PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier. In that case, the web.config which contains connection strings is on the client machine, which is a risk. Here is a discussion related
to db security & 2 vs 3-tier.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch -
Preventing sql injection attack
string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
OleDbConnection myConnection9 = new OleDbConnection(objConn9);
string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
myCommand9.Parameters.Add(":username", txtUsername.Text);
myCommand9.Parameters.Add(":password", txtPassword.Text);
myConnection9.Open();
myCommand9.ExecuteNonQuery();
myConnection9.Close();
i'm using this code to try to remove the problem of
users entering a comma or an semi colon and throwing off my query, but its not working...
is there an easy way to insert text values into oracle 8i
that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.netI may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
It is only when concatenating a string together to make a sql statement that injection attacks can occur.
See
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
and search for injection.
Or just go to
http://asktom.oracle.com
and search for "sql injection bind variable" for lots of other references. -
Any Admins aware of possible SQL "injection" attacks like this?
For example in your web sites login.asp or similar:
select * from users
where uname='%value1%'
and pwd='%value2%'
where %value1% equals "garbage"
and %value2% equals "garbage' or TRUE or '"
select * from users
where uname='garbage'
and pwd='garbage' or TRUE or ''
Useful source of security info:
http://www.nextgenss.com/news.html
Get Oracle Security Patches:
http://otn.oracle.com/deploy/security/alerts.htm
Adeeva.There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
RETURN INTEGER
IS
x INTEGER;
sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
BEGIN
EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
RETURN x;
END;
This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
Nothing is foolproof but at least it makes it harder for them. -
i mean if i built a site using php and sql using dreamweaver cs 6 ...will it be protected from various hacker attacks such as sql injection,xss,spoofed form input,etc..?? if it is not protected...tell me where can i learn to protect my website using php and sql....from all types of hacker attacks...help needed.... thank you..:)
A couple more comments.
To guard against most of these security risks, you have to completely sanitize any user input whether processed further on subsequent pages or added to a database. That complete sanitization usually involves stripping out any HTML/JavaScript, and blocking SQL-crashing equalities/inequalities.
You can get alot of information about these and other methods on the Dreamweaver AppDev forum -
http://forums.adobe.com/community/dreamweaver/dreamweaver_development?view=discussions
which is where most server-scripting topics are discussed. -
Preventing Sql Injection Attacks
Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???
It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
Cheers, APC -
SQL Injection, replace single quote with two single quotes?
Is replacing a single quote with two single quotes adequate
for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp
) offers that advice, and it
enabled me to allow users to search name fields in the
database that contain
single quotes.
I was advised to use "Paramaterized SQL" in an earlier post,
but I can't
understand the concept behind that method, and whether it
applies to
queries, writes, or both.Then you can use both stored procedures and prepared
statements.
Both provide better protection than simply replacing
apostrophes.
Prepared statements are simple:
Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email])
VALUES (?, ?)"
...snip...
myCommand.Parameters.Append
myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that
tell ADO not to
look for rows to be returned. This saves the expense of
creating a
recordset object you don't need.
Stored procedures are executed in a similar manner. DW can
help you with a
stored procedure through the "Command (Stored Procedure)"
server behavior.
You can see a full example of a prepared statement by looking
at DW's
recordset code after you've created a recordset using version
8.02.
"Mike Z" <[email protected]> wrote in message
news:eo5idq$3qr$[email protected]..
>I should have repeated this, I am using VBScript in ASP,
with an Access DB.
> -
What is SQL Injection?
SQL Injection is a way to attack the data in a database through a firewall protecting it. It is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database to return data. For example, by adding a single quote (‘) to the parameters, it is possible to cause a second query to be executed with the first.
An attack against a database using SQL Injection could be motivated by two primary objectives:
1. To steal data from a database from which the data should not normally be available, or to obtain system configuration data that would allow an attack profile to be built. One example of the latter would be obtaining all of the database password hashes so that passwords can be brute-forced.
2. To gain access to an organisation’s host computers via the machine hosting the database. This can be done using package procedures and 3GL language extensions that allow O/S access.
There are many ways to use this technique on an Oracle system. This depends upon the language used or the API. The following are some languages, APIs and tools that can access an Oracle database and be part of a Web-based application.
* JSP
* ASP
* XML, XSL and XSQL
* Javascript
* VB, MFC, and other ODBC-based tools and APIs
* Portal, the older WebDB, and other Oracle Web-based applications and API’s
* Reports, discoverer, Oracle Applications
* 3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL
* Perl and CGI scripts that access Oracle databases
* many more.
Any of the above applications, tools, and products could be used as a base from which to SQL inject an Oracle database. A few simple preconditions need to be in place first though. First and foremost amongst these is that dynamic SQL must be used in the application, tool, or product, otherwise SQL Injection is not possible.
The final important point not usually mentioned in discussions about SQL injection against any database including Oracle is that SQL injection is not just a Web-based problem. As is implied in the preceding paragraph, any application that allows a user to enter data that may eventually end up being executed as a piece of dynamic SQL can potentially be SQL injected. Of course, Web-based applications present the greatest risk, as anyone with a browser and an Internet connection can potentially access data they should not.
While second article of this series will include a much more in-depth discussion of how to protect against SQL injection attacks, there are a couple of brief notes that should be mentioned in this introductory section. Data held in Oracle databases should be protected from employees and others who have network access to applications that maintain that data. Those employees could be malicious or may simply want to read data they are not authorized to read. Readers should keep in mind that most threats to data held within databases come from authorized users.
Protecting against SQL Injection on Oracle-based systems is simple in principle and includes two basic stages. These are:
1. Audit the application code and change or remove the problems that allow injection to take place. (These problems will be discussed at greater length in the second part of this series.)
2. Enforce the principle of least privilege at the database level so that even if someone is able to SQL inject an application to steal data, they cannot see anymore data than the designer intended through any normal application interface.
The “Protection” section, which will be included in the second part of this series, will discuss details of how to apply some of these ideas specifically to Oracle-based applications.
[http://www.securityfocus.com/infocus/1644]
how oracle prevent sql injections?mango_boy wrote:
damorgan wrote:
And they do so using bind variables
http://www.morganslibrary.org/reference/bindvars.html
and DBMS_ASSERT
http://www.morganslibrary.org/reference/dbms_assert.html
do you have any suggestion for mysql users??Yes. Install Oracle. -
Hello all-
I've got a server with a huge number of ColdFusion templates
(over 10,000) which I really need to protect agains SQL Injection.
I know that CFQUERYPARAM is the best way to do this. I'd love
to do it that way, but with so many pages, and so many queries it
would take weeks/months to fix the queries, then test to make sure
I didn't screw something up.
So, I've come up with a plan that I wanted to get some input
on.
Currently, I have a page on my server that is included in
almost every page that runs. It is a simple page that I can modify
to change the status of my systems in the event of a database
changeover, or some other sort of failure. (The pages still run,
but no updating is allowed, only reading)
Okay, so on this page which is always included, I was
thinking about analyzing the variables that come over. I was
thinking about looking for things that looked like a SQL injection
attack and blocking the page from running.
I wanted to know if this would work- anyone have ideas? This
would be great because I could protect the entire server in about
an hour. But, I don't want to give myself a false sense of security
if this won't really do the job.First, here are some simple things you can do to protect all
pages before you follow the other advice and plans in this thread:
In CF administrator, click on your datasources and then the
"Advanced" button.
There you will uncheck all but the read and stored procedure
and (possibly) write permissions. "Drop", "Create", etc., are
definite no-nos here.
If you haven't already, make one data source read-permissions
only and refactor your code to use it everywhere except for
carefully segregated updates, inserts and deletes.
Now, in SQL Server itself, remove all permissions from the
users that CF uses except for data_reader and (selectively) data
writer and exec permissions on any procedures or functions you use.
In SQL server, setup at least two CF users. One, should have
only the data_reader permission (plus any read-only stored
procedures).
Find articles, such as this one:
http://www.sqlservercentral.com/columnists/bknight/10securingyoursqlserver.asp,
and follow their advice, start with locking down xp_cmdshell.
These measures require little or no CF code changes but will
block all but the most determined and skilled hackers. You still
need to follow Adam's advice though.
BTW, Dan is very wrong, ALL DB's are vulnerable to SQL
injection.
SQL server is not even the most vulnerable anymore (Studies
show that Oracle now has that "honor").
Maybe you are looking for
-
All views other than the classic view are unnecessarily complicated, confusing and - to me - irritating. The view of each individual mail can of course be changed which is tiresome. Is there a way to have Thunderbird - who is otherwise a very good ma
-
Albums in Library not on iCloud
I just signed up for Match. I have 55 albums in my iTunes Library, but only 25 show up as available on my devices. What can I do to make the other 30 albums available on iCloud?
-
What can not be transferred to a new iphone5?
I will be upgrading to iphone5 in the near future. what can not be transferred from another iphone?
-
Detected Problem with audio configuration - wont run
Everything else on pc seems to work fine apart from itunes Can anyone help please? Thank you
-
Importing dates from Excel 2013 (XML)
Hi all, So I have a fully mapped (and otherwise perfectly functioning) Excel file which my organization uses to load data into PDF forms. Unfortunately I cannot get dates to work correctly. Here is the error I get on Import: "Invalid date/time: pleas