nV News Forums

 
 

nV News Forums (http://www.nvnews.net/vbulletin/index.php)
-   Software Development (http://www.nvnews.net/vbulletin/forumdisplay.php?f=53)
-   -   SQL Injection Attacks on ASP/ASP .net (http://www.nvnews.net/vbulletin/showthread.php?t=116939)

tornadog 07-28-08 02:40 PM

SQL Injection Attacks on ASP/ASP .net
 
Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!

Sycario 07-28-08 04:39 PM

Re: SQL Injection Attacks on ASP/ASP .net
 
take the values from the query string and parametrize them in the sql.

ViN86 07-29-08 08:12 AM

Re: SQL Injection Attacks on ASP/ASP .net
 
Quote:

Originally Posted by tornadog (Post 1725803)
Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!

arent you escaping the strings?

dont know how to do it in asp.net, but i know in PHP there are functions to do so. you may need to write your function to do it.

EDIT:

here http://msdn.microsoft.com/en-us/library/ms998271.aspx

did you guys put a page up without escaping the user input? jeeze, that's security 101.

ViN86 07-29-08 09:00 AM

Re: SQL Injection Attacks on ASP/ASP .net
 
you guys should read this:

http://www.acunetix.com/websitesecurity/


All times are GMT -5. The time now is 08:00 PM.

Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.