0

Possible Duplicate:
Classic ASP SQL Injection Protection

So far, I've been very lucky not to have my website attacked by SQL injection, and possibly many other methods too.

I would like to know how to convert my login query to use parameters, which apparently will stop this kind of attack occurring.

My query is actually quite complicated, so I will show a simple version in this post, so then I can study the converted version and then try and implement it to my real query later.

This is what I currently have (simplified), which is asking for trouble:

username = Trim(Request("username"))
password = Trim(Request("password"))

SQL = " SELECT clientID FROM clientAccounts
WHERE username = '"&username&"'AND password = '"&password&"'; "
Set rs = conn.Execute(SQL)

I would greatly appreciate if somebody could show me how this would look, using parameters, to protect it from injection.

Regards

Community
  • 1
  • 1
TheCarver
  • 19,391
  • 25
  • 99
  • 149

1 Answers1

1

From http://www.uberasp.net/getarticle.aspx?id=46 :

SqlConnection objConnection = new SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
   "SELECT * FROM User WHERE Name = @Name AND Password = @Password",
   objConnection);
objCommand.Parameters.Add("@Name", NameTextBox.Text);
objCommand.Parameters.Add("@Password", PasswordTextBox.Text);
SqlDataReader objReader = objCommand.ExecuteReader();
if (objReader.Read())
{
    ...

For classic ASP, from http://blog.binarybooyah.com/blog/post/Classic-ASP-data-access-using-parameterized-SQL.aspx :

    With oSQLCommand
        .ActiveConnection = oSQLConn
        .CommandText = "SELECT * FROM whatever WHERE field1=@field1"
        'add input parameters
        .Parameters.Append .CreateParameter("field1", adInteger, adParamInput, , iTableIdValue)
    End With
    'run the stored procedure
    oRS.Open oSQLCommand

Also, don't write your own login code if it's for anything important (i.e., you're okay with the possibility of a complete stranger seeing everything on the server that you can). It takes a lot of time and testing to get it right, and one man alone (you) can't reasonably hope to do it right the first time.