TheTAZZone - Internet Chaos

Tutorial – Cross posted SQL injection measures

ORIGINALLY POSTED BY NTSA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[quote=”Shippwreck”]…I find that SQL Injection is one of those things that everyone agrees poses a major security risk, but if i ask the question what techniques to use to combat it or what are the key/most common things to look out for in your coding that leave you wide open the room goes eerily quiet…[/quote]

Well, here’s what I do…

The ContainsSQL function below accepts a string value and checks for a ‘;’ character (that’s required for SQL stuffing) outside of string deliminators.

Let’s say your script uses a variable as a modifier for an SQL command. The variable is collected from the request string and is called “Variable” – so to get the value in code you’d request(“Variable”).

Your code might look like this:
[code]
sqlq = “select * from ‘”& request(“Variable”) &”‘”
sql.execute(sqlq)
[/code]

A black hat might fill in the Variable field with “A Variable.’;[sql exploit here]”. The sql injection would mean that the SQL statement you executed would read like this:

[code]select * from ‘A Variable.’;[sql exploit here][/code]

because the use of the ‘;’ begins a new line in the SQL parser.

To check this you’d call the function from your (asp) code like this:
[code]
<% if object.ContainsSQL(CSTR(Request("Variable"))) then response.write "

Thank you.


response.write “Your IP address has been logged.

response.write “Please step away from the computer,

response.write “place your hands behind your head

response.write “and await the arrival of a local law

response.write “enforcement official.”
end if
%>[/code]

[b]The function[/b]
[code]
Private Function ContainsSQL(tValue As String) As Boolean

Dim l, n

ClearError
On Error GoTo 10

ContainsSQL = False

‘ Ensure the statement does not contain ; outside of string deliminators (‘)
‘ (To ‘stop SQL stuffing exploits)
l = 1
For n = 1 To StringsCls.CountInString(tValue, “;”)
l = InStr(l, tValue, “;”)
If (StringsCls.OddEven(StringsCls.CountInString(Left(tValue, l), “‘”)) = 0) Then
ContainsSQL = True
Exit Function
End If
l = l + 1
Next

10:
If Not Err.Number = 0 Then
‘stop
mError.Number = Err.Number
mError.Description = Err.Description
SendTrace “ContainsSQL”, “Error #” & Err.Number & “: ” & Err.Description
End If

End Function
[/code]

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.