ASP RSS ASP RSS

SQl Injection through ASP and MS SQl 2000

Please support our ASP advertiser: $4.95 a Month - ASP.NET Web Hosting – Click Here!
Reply

Join Date: Dec 2004
Posts: 234
Reputation: cancer10 is an unknown quantity at this point 
Solved Threads: 0
cancer10's Avatar
cancer10 cancer10 is offline Offline
Posting Whiz in Training

SQl Injection through ASP and MS SQl 2000

 
0
  #1
Oct 27th, 2007
Hello,


I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

Can someone explain plz?



Thanx

FocusInterview.com - PHP Interview Questions & Answers

IGCHosting - Cheapest Web Hosting
Reply With Quote Quick reply to this message  
Join Date: Sep 2007
Posts: 1,080
Reputation: SheSaidImaPregy is an unknown quantity at this point 
Solved Threads: 68
SheSaidImaPregy SheSaidImaPregy is offline Offline
Veteran Poster

Re: SQl Injection through ASP and MS SQl 2000

 
0
  #2
Oct 27th, 2007
You do not need to know the column names. If you pull information from an open source, like a querystring, and directly insert it into your sql statement, like below, they can add bad stuff to it... like below:
ASP Syntax (Toggle Plain Text) 
  1. <%
  2. strRequest = Request.QueryString("query")
  3. strSQL = "SELECT column FROM table WHERE column2='" & strRequest & "'"
  4.  
  5. 'This is why it is bad below:
  6. strRequest = "stories from';DROP...;"
  7. 'Imaging with me, when they insert this and get it right, they deleted your entire table and all your data. Names are not as hard to guess as most would think.
  8. 'Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring.
Reply With Quote Quick reply to this message  
Join Date: Oct 2007
Posts: 147
Reputation: hopalongcassidy is an unknown quantity at this point 
Solved Threads: 13
hopalongcassidy's Avatar
hopalongcassidy hopalongcassidy is offline Offline
Junior Poster

Re: SQl Injection through ASP and MS SQl 2000

 
0
  #3
Nov 9th, 2007
If you are interested in reading a good piece on SQL Injection that tells you how to hack into sites that don't protect themselves against such attacks and (what is more important) how to protect your site against such attacts, let me share a URL with you:

http://ocliteracy.com/techtips/sql-injection.html

This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.

Hope this helps.

Hoppy
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the ASP Forum
Thread Tools Search this Thread



archive asp aspandmssqlserver2005 aspandmssqlserver2005connection aspconnection connection database databaseconnection dreamweaver excel fso msmsql mssql2005 mssqlserver2005 mssqlserver2005andasp mssqlserverandasp opentextfile record searchbox selectoption single specfic sqlserver sqlserverconnection
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC