Styles

Wednesday, February 10, 2010

Classic ASP - prevent SQL Injection hacks

Typically, a developer would be tempted to write the following to connect to a database.
<%@ Language=VBScript %>
<% option explicit %>
<%
    set cnn = server.CreateObject("ADODB.Connection")
    cnn.Open(ConnectionString)

    strSQL = "exec uspSQLInsertString " & customerID & "," & contactID

    dim result
    result = cnn.Execute(strSQL)

    cnn is nothing
%>

This is actually a bad use of ADO which allows a potential security threat using SQL Injection.
A more appropriate use of ADO in Classic ASP is as follows:

<%@ Language=VBScript %>
<% option explicit %>
<%
    set cmd = Server.CreateObject("ADODB.Command") 
    cmd.ActiveConnection = ConnectionString 
    cmd.CommandText = "uspSQLInsertString" 
    cmd.CommandType = adCmdStoredProc
    cmd.Parameters.Append(cmdInsert.CreateParameter("@date", 
    adDBDate, adParamInput, 6, cdate(Request.Form("hLive"))))

    dim result
    result = cmd.Execute() 

    set cmd = nothing 
%>

This is a more appropriate way using parameterised queries.

No comments :