Go Back   nV News Forums > Software Forums > Software Development

Newegg Daily Deals

Reply
 
Thread Tools
Old 07-28-08, 02:40 PM   #1
tornadog
Keeper of the Faith
 
tornadog's Avatar
 
Join Date: Aug 2004
Posts: 1,446
Default SQL Injection Attacks on ASP/ASP .net

Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!
__________________
i7 950 @ 4.2Ghz w/ Venomous-X, Asus Sabertooth x58, 8gb DDR3 GSkill 1600Mhz,MSI N670 PE, Win 7 Ult. x64, Samsung PN50C7000, Pioneer VSX 920-K, Polk Monitor 5.0 Speakers, Bic H100 Sub
tornadog is offline   Reply With Quote
Old 07-28-08, 04:39 PM   #2
Sycario
Registered User
 
Join Date: Nov 2006
Location: St. Louis, MO
Posts: 363
Send a message via AIM to Sycario
Default Re: SQL Injection Attacks on ASP/ASP .net

take the values from the query string and parametrize them in the sql.
__________________

Comp Specs:
Intel Q9650 @ 3.95Ghz
Asus Rampage Extreme
2x2GB Mushkin DDR3-1600 @ 6-6-6-17
eVGA GTX 280 SSC
BFG ES-800 PSU
Sycario is offline   Reply With Quote
Old 07-29-08, 08:12 AM   #3
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: SQL Injection Attacks on ASP/ASP .net

Quote:
Originally Posted by tornadog View Post
Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!
arent you escaping the strings?

dont know how to do it in asp.net, but i know in PHP there are functions to do so. you may need to write your function to do it.

EDIT:

here http://msdn.microsoft.com/en-us/library/ms998271.aspx

did you guys put a page up without escaping the user input? jeeze, that's security 101.
ViN86 is offline   Reply With Quote
Old 07-29-08, 09:00 AM   #4
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: SQL Injection Attacks on ASP/ASP .net

you guys should read this:

http://www.acunetix.com/websitesecurity/
ViN86 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 08:17 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.