3

Sorry for the long title, didn't want people just reading the title and not the question then going 'duplicate of xxx' when actually xxx is about sprocs etc...

So I am in a situation where I am very limited in what I can use. I am limited to classic ASP and querying using direct queries only - i.e. no stored procedures or parameterised queries.

What are my options here? I am thinking of replacing certain symbols, all if I can but I think in some cases certain symbols will need to be let through. I know the application I am writing this script for replaces all ' with ''; this should be enough to get around the ' or 1 = 1 hack, but I don't know what other major risks there are to prevent.

I've read around a bit but everywhere is saying to go for parameterised queries or sprocs, which obviously are not an option for me.

Can someone give me some pointers on what I could do to make my application as secure as possible, given my limitations? Thanks in advance.

Mikael Eriksson
  • 136,425
  • 22
  • 210
  • 281
ClarkeyBoy
  • 4,934
  • 12
  • 49
  • 64
  • Classic ASP can use parameterized queries. I have done so in the past. – Oded Jan 22 '12 at 13:03
  • 2
    What RDBMS are your queries running against? You haven't explained why parameterised queries are not an option? – Martin Smith Jan 22 '12 at 13:05
  • Why can't you use parameterised queries? If you can change code to write your own sanitiser, you can use parameters, surely? – gbn Jan 22 '12 at 13:05
  • But I am using a function from the core code which connects to the database and runs the query I pass to it; I suppose I could potentially take the function and modify it myself, but if the function in the core code is then changed and my application screws up big time, I get the blame. – ClarkeyBoy Jan 22 '12 at 13:05
  • Is that worse than you not fixing all possible issues of SQL Injection and getting the blame for that? – Oded Jan 22 '12 at 13:06
  • @Oded: I see your point there. I will look into modifying the core code function at some point. Come to think of it I am sure they must have a function for sanitizing user-specified values so I could just use that function. Don't know why I didn't think of that before... I feel so dumb now. – ClarkeyBoy Jan 22 '12 at 13:08

3 Answers3

3

I don't know what is the reason of you not wanting to use parameterized queries with classic ASP, but you definitely can.

It is a little trickier than using them in ASP.NET, but there is no reason you can't use them.

Have a look at this post, the links in the answer explains very well how to proceed.

Parameterized queries WITHOUT stored procedures?

If you really don't want to this type of query, you could always replace ' with '' like you said. We have be doing this for quite a while now with some of our legacy applications and haven't had any problem with SQL injection.

Community
  • 1
  • 1
Jason
  • 4,557
  • 5
  • 31
  • 40
  • Thank you. I've just had a look into the core code and it looks like http://www.userfriendlythinking.com/Blog/BlogDetail.asp?p1=7013&p2=119&p7=3001 is probably what I am looking for. – ClarkeyBoy Jan 22 '12 at 13:37
  • 1
    Replacing `'` with `''` can have problems but not in this context AFAIK. Where it can go wrong is if the string has a Unicode homoglyph for `'` and the sanitation occurs then the string is assigned to a non unicode datatype and the string is `EXEC`-ed in TSQL. [See this answer for more details](http://stackoverflow.com/questions/139199/can-i-protect-against-sql-injection-by-escaping-single-quote-and-surrounding-use/139810#139810) – Martin Smith Jan 22 '12 at 13:47
1

You can enforce security by putting stricter algorithm into your input validation:

  • limit the length of user input
  • limit the symbols used in the user input
  • escape potential special characters.

For example, if the user input is numeric, you can validate that only the characters 0..9 are entered.

If the user is supplying text input and you wish to allow for adhoc text, consider limiting the text that can be input to avoid special characters. If special characters are allowed, make sure your ASP script detects and escapes them so they get treated as ordinary text.

Stephen Quan
  • 21,481
  • 4
  • 88
  • 75
0

You can use a class implementing javax.servlet.Filter. This filter will intercept any request going to the servlet where your sql code is written. Then using a ServletRequestWrapper called in the doFilter() of the filter class you can do the validation of the user input. The request.getparameter method in your servlet which takes the user input will be overridden by the getparameter of the ServletRequestWrapper. In this method you can encode all the special characters present in the user input. This is the most efective way to prevent SQL injection, XSS attacks

Vivek Sharma
  • 2,667
  • 2
  • 15
  • 8