So I forgot to blog about the SQL Injection problems that I have come across. This certain one used SQL Injection to get into an admin side of a shopping cart website and made some changes to the payment parts and set the money to go to him/her.
The SQL Injection related to logging into a website with forms authentication with a Username and Password box. In Classic ASP you could see something like
set adconn = Server.CreateObject(“ADODB.Connection”)set adRS = Server.CreateObject(“ADODB.Recordset”) adconn.Open connectionStringstrSQL = “select * from tblUsers WHERE UserId = ‘” & Request.Form(“username”) & “’ and Password=’” & Request.Form(“password”) & “’”adRS.Open strSQL, adConnif adRS.EOF Then ‘ not a user authenticatedelse ‘ is a user authenticatedend if
So if I put in the box junior’ or 1 = 1 –
So the statement would look like this: select * from tblUsers where UserId = ‘junior’ or 1=1 -- ' and Password=’passwordfield’
Being that we used the double - SQL Server will only execute whether the UserId = junior or 1=1, which we all know that 1=1 so there will be a recordset coming back, and therefore it will be counted as authenticated.
Now this was a very simplistic example, and there are many more that are more complex, but it is fairly common to have situations like this where someone can get in and wreak some havoc. So please remember to use the ADODB.Command and ADODB.Parameter so that you do not run into the SQL Injection attacks that you can have with concatenated strings.