•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the ASP section within the Web Development category of DaniWeb, a massive community of 456,571 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,609 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our ASP advertiser: Lunarpages ASP Web Hosting
Views: 2006 | Replies: 2
 |
•
•
Join Date: Dec 2004
Location: India
Posts: 234
Reputation: 
Rep Power: 4
Solved Threads: 0
Posting Whiz in Training
SQl Injection through ASP and MS SQl 2000 Hello,
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Can someone explain plz?
Thanx
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Can someone explain plz?
Thanx
•
•
Join Date: Sep 2007
Posts: 1,058
Reputation:
Rep Power: 4
Solved Threads: 61
You do not need to know the column names. If you pull information from an open source, like a querystring, and directly insert it into your sql statement, like below, they can add bad stuff to it... like below:
<%
strRequest = Request.QueryString("query")
strSQL = "SELECT column FROM table WHERE column2='" & strRequest & "'"
'This is why it is bad below:
strRequest = "stories from';DROP...;"
'Imaging with me, when they insert this and get it right, they deleted your entire table and all your data. Names are not as hard to guess as most would think.
'Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring. •
•
Join Date: Oct 2007
Posts: 145
Reputation:
Rep Power: 2
Solved Threads: 13
Junior Poster
If you are interested in reading a good piece on SQL Injection that tells you how to hack into sites that don't protect themselves against such attacks and (what is more important) how to protect your site against such attacts, let me share a URL with you:
http://ocliteracy.com/techtips/sql-injection.html
This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.
Hope this helps.
Hoppy
http://ocliteracy.com/techtips/sql-injection.html
This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.
Hope this helps.
Hoppy
|
•
•
•
•
•
•
•
•
DaniWeb ASP Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
- SQL Injection Attack (Database Design)
- ASP/SQL - Problem (ASP)
- ASP- SQL Server..Query help.... (ASP)
- Freelance Web designer PHP, MySQL, ASP, SQL Server 2000 (Web Development Job Offers)
- run sql statement in asp (ASP)
- ASP and SQL ? (MS SQL)
Other Threads in the ASP Forum
- Previous Thread: parameter passing thru on click for different buttons
- Next Thread: Provide downloads after authentication
