Sommaire |
I got a website for maintenance that is using Classic ASP technology. Now, my client is asking if this website is secured from SQL injection.
I ve tried to Microsoft Source Code Analyser for SQL Injection and I got no warning after testing.
Is there any other ways to check/verify these classic ASP source codes are secured from SQL injection attacks?
Please advise! Thanks
There s not a single way to know. You could post some code and see how it looks.
The key is that you not build your SQL statements with tainted data from the outside.
If you build a statement like this
sql = "select * from whatever where id = " + id_parameter
then you are building a SQL statement with data from the outside world, and that is dangerous.
You must use parametrized queries, like this:
objCmd.CommandType = adCmdText;
objCmd.CommandText = "UPDATE members SET photo = ? WHERE memberID = ?";
objCmd.Parameters.Append(
objCmd.CreateParameter("filename", adVarChar, adParamInput, 510, fileName));
objCmd.Parameters.Append(
objCmd.CreateParameter("memberID", adInteger, adParamInput, 4, memberid ));
objCmd.Execute(adExecuteNoRecords);
Note that the objCmd.CommandText does not use any data from the outside. Outside data is funneled through the CreateParameter calls.
License : cc by-sa 3.0
http://stackoverflow.com/questions/13852375/how-can-i-know-check-that-my-classic-asp-website-is-secured-from-sql-injection
