-1

Not sure where I am going wrong.

I am trying to show a PNG icon in an ASP page. The PNG is stored in a SQL database in BLOB format. The image in the table is shown below (a small section).

T2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AU
kSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXX
Pues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgAB
eNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAt
AGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3
AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dX
Lh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+

The page, PIC.ASP, is shown here:

<!--#include file="SQLConnect.asp"-->

 <%FN=request.querystring("FN")
sql1="SELECT * FROM [Database].[dbo].[Images] where filename= '" & FN & "'"
rs1.open sql1,conn, 3, 3
Response.Expires = 0
        Response.Buffer = TRUE
        Response.Clear
        Response.ContentType = "image/png"
Response.BinaryWrite rs1("BLOB")
rs1.close%>

I get a black screen with a very small white square with no image that can be seen. Stumped. It looks like it would work. Any help appreciated guys!

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Juliemac
  • 7
  • 4

1 Answers1

0

First of all, before we do anything else, think very carefully what would happen if someone looked at your html, and decided to send this URL to your image handler asp:

http://example.com/yourpage.asp?FN=%27%3BDELETE%20FROM%20%5BImages%5D%3B--

Classic ASP has a mechanism for parameterized queries. Use them. EVERY TIME! Otherwise, your application is practically begging to get hacked, and you're lucky if you haven't been already and just haven't seen it yet.

This is serious! If you have a site like this in production, it's worth stopping everything else until you have resolved every. single. place. you've used string concatenation to include user-supplied (or even influenced) information into an SQL string.

This is too important even for practice/learning/proof of concept code! Don't teach yourself to build something in a way that will come back to bite you when you need to do it for real.

Aside from that, you're doing most of the things I expect: setting the content type and using Response.BinaryWrite() instead of the regular Reponse.Write(). The one thing you're missing is this data is still base-64 encoded. You need to base-64 decode that data before you will be able to use it as an image.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
  • Its a one use, internal only page to strip the application of the images so we can use them effectively. I'll set the content type of the calling page to XLS to create an excel file with the name and the image. – Juliemac Sep 25 '21 at 21:01
  • Internal only apps can still be abused, often even by accident. Sql injection is a **HUGE DEAL**, and not something to just let slide. Ever. – Joel Coehoorn Sep 27 '21 at 16:36