SQl Injection through ASP and MS SQl 2000

Hello,

I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?

Can someone explain plz?

Thanx

cancer10

Posting Whiz in Training

234 posts since Dec 2004

Reputation Points: 58

Solved Threads: 1

4 Years Ago

You do not need to know the column names. If you pull information from an open source, like a querystring, and directly insert it into your sql statement, like below, they can add bad stuff to it... like below:

<%
strRequest = Request.QueryString("query")
strSQL = "SELECT column FROM table WHERE column2='" & strRequest & "'"

'This is why it is bad below:
strRequest = "stories from';DROP...;"
'Imaging with me, when they insert this and get it right, they deleted your entire table and all your data. Names are not as hard to guess as most would think.
'Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring.

SheSaidImaPregy

Veteran Poster

1,080 posts since Sep 2007

Reputation Points: 43

Solved Threads: 68

4 Years Ago

If you are interested in reading a good piece on SQL Injection that tells you how to hack into sites that don't protect themselves against such attacks and (what is more important) how to protect your site against such attacts, let me share a URL with you:

http://ocliteracy.com/techtips/sql-injection.html

This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.

Hope this helps.

Hoppy:)

hopalongcassidy

Junior Poster

148 posts since Oct 2007

Reputation Points: 53

Solved Threads: 13

This article has been dead for over three months

You