Classic ASP SQL Injection Protection

by

Stored Procedures and/or prepared statements:

https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks

Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

Catching SQL Injection and other Malicious Web Requests

With Access DB, you can still do it, but if you’re already worried about SQL Injection, I think you need to get off Access anyway.

Here’s a link to the technique in Access:

http://www.asp101.com/samples/storedqueries.asp

Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren’t even allowed to execute arbitrary code in the first place.

In addition, the execution point of the stored procedure can be vulnerable if you don’t use command and parameters, e.g. this is still vulnerable because it’s dynamically built and can be an injection target:

Conn.Execute("EXEC usp_ImOnlySafeIfYouCallMeRight '" + param1 + "', '" + param2 + "'") ;

Remember that your database needs to defend its own perimeter, and if various logins have rights to INSERT/UPDATE/DELETE in tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don’t expose all their inner workings.)

More Related Contents:

  1. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  2. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  3. PHP Session Security
  4. How do I create a self-signed certificate for code signing on Windows?
  5. Non-random salt for password hashes
  6. Prevent PDF file from downloading and printing
  7. Best way to handle security and avoid XSS with user entered URLs
  8. How do you protect your software from illegal distribution? [closed]
  9. How can I throttle user login attempts in PHP
  10. Why is using a Non-Random IV with CBC Mode a vulnerability?
  11. What should every programmer know about security? [closed]
  12. Is it safe to put a jwt into the url as a query parameter of a GET request?
  13. Stopping users voting multiple times on a website
  14. How do I store and retrieve credentials from the Windows Vault credential manager?
  15. MVC 6 Bind Attribute disappears?
  16. Username and password in https url
  17. How will a server become vulnerable with chmod 777?
  18. IIS7, web.config to allow only static file handler in directory /uploads of website
  19. How to do stateless (session-less) & cookie-less authentication?
  20. WS on HTTP vs WSS on HTTPS
  21. Should I impose a maximum length on passwords?
  22. Is there a way to force apache to return 404 instead of 403?
  23. RSA signature size?
  24. What’s the best approach for generating a new API key?
  25. client secret in OAuth 2.0
  26. What is the best “forgot my password” method? [duplicate]
  27. Do I need a “random salt” once per password or only once per database?
  28. How is it possible to access memory of other processes?
  29. How easily can you guess a GUID that might be generated?
  30. How do you protect code from leaking outside? [duplicate]

Leave a Comment