Results 1 to 3 of 3

Thread: SQL - Warning Injection via querystring

  1. 23rd July 2007, 12:52 PM #1
    RFH Reseller: SKILLIT
    SKILLIT is offline Red Fox Hosting Reseller
    Join Date
    May 2007
    Location
    Eauze, France
    Posts
    175
    Thanks
    10
    Thanked 17 Times in 15 Posts

    Default SQL - Warning Injection via querystring

    From this mornings web server logs it appears some nice person from China, has been attempting to use a query string (subsequently used in a select) to attempt multiple selects from other databases.

    It is indeed good fortune that I don't have admin authority over any other databases other than mine.

    I have now modified the code to only use the first two characters of the string if they are numeric and in other cases to return a 404 and then end the response.

    For those that may be interested I attach a log extract.

    David.
    Attached Files Attached Files
    Reply With Quote Reply With Quote
  2. 23rd July 2007, 04:17 PM #2
    Warren Ashcroft's Avatar
    Staff: Warren Ashcroft
    Warren Ashcroft is offline Red Fox UK Limited (Director)
    Join Date
    Feb 2004
    Posts
    4,903
    Thanks
    2
    Thanked 134 Times in 113 Posts

    Default

    Unfortunately many people don't realise how important it is to validate any "variables" you use in SQL queries.
    Warren Ashcroft
    Red Fox UK Limited - Pioneers in Internet Technology
    http://www.redfoxuk.com
    w.ashcroft [at] redfoxuk.com

    NOTE: Forum Private Messaging should not be used to contact staff with support queries.
    Reply With Quote Reply With Quote
  3. 23rd July 2007, 06:03 PM #3
    RFH Reseller: askjim
    askjim is offline Red Fox Hosting Reseller
    Join Date
    Jan 2006
    Posts
    419
    Thanks
    2
    Thanked 16 Times in 16 Posts

    Default

    A few items may be of interest:

    asp.net is great at assisting to reduce sql and html injection hacks as long as you do not turn of request validation.

    Ensure you use parameters with database calls and ideally stored procedures.

    We have started testing sites with PCI compliance testing tools which have revealed vunerabilities on some of our customer sites. We soon stopped testing though because of the volume of traffic the testing caused which nearly caused interuption to services.

    A week later we then find out why one of our servers had a glitch, a customer had been scanning their site as they had been blagged that they needed to when infact they did not need to as they used world pay. What a salesman the person must have been.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Warning: I am able to write to the configuration file:
    By Tanzy in forum osCommerce (PHP)
    Replies: 24
    Last Post: 28th May 2007, 05:23 PM
  2. Encrypt QueryString
    By s80wkr in forum ASP (VBScript)
    Replies: 12
    Last Post: 26th September 2006, 02:41 PM
  3. Connect to Red fox hosted SQL Server 2005 database using SQL Server Management Studio
    By fevster in forum Development Support
    Replies: 2
    Last Post: 2nd August 2006, 03:04 PM
  4. Bird Flu Warning
    By PaulB in forum Jokes and Stories
    Replies: 1
    Last Post: 9th December 2005, 01:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules