[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics

From: Anurag Agarwal <a_agrawwal@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Date: Mon, 10 Apr 2006 17:00:24 -0700 (PDT)
--0-830117716-1144713624=:7753
Content-Type: text/plain; charset=us-ascii

Dain,
 
There are three things parameterized query, dynamic query and then stored procedures. I understand what you are trying to convey here and again as mentioned in the article, if the array strings you are passing as a parameter to the stored procedure are the input from the user then they should be validated (point 10: Sanitizing the input) using the validation technique mentioned at the bottom of the article. Though i have given an example in java but i hope you can get some idea by that. Please also note that all the input needs to be validated irrespective of whether it goes as a parameterized query, dynamic SQL or to a stored procedure. 
 
Hope that answers your question !!
 
regards
anurag
 

----- Original Message ----
From: dpw <dainw@fsr.com>
To: websecurity@webappsec.org
Sent: Monday, April 10, 2006 2:51:31 PM
Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics


Interesting - not being a java developer, I realize there's probably a
disconnect. We prefer (and rely on) "parameterized queries" here.

Being a simple unwashed heathen web-monkey, my term "parameterized query" is
probably not the right term...

What I refer to as "parameterized query" is the act of passing the stored
procedure parameters into the connection via an array, rather than as
strings. 

...in a nutshell:

IDValue = Request("IDValue) 
SQL = "Table_GetByID"
ParameterArray = Array(IDValue)
set RS = Exec(SQL,ParameterArray)

function Exec(StoredProcedure,ParameterArray)
    set cmd = Server.CreateObject("ADODB.Command")
    cmd.Connection = GetConnectionString() 'defined elsewhere
    cmd.CommandText = StoredProcedure
    cmd.CommandType = 4
    call cmd.Execute(,ParameterArray)
    cmd.Connection.Close()
    cmd = nothing
end function


Does anyone on this list have any feelings on whether or not this is a good
way to defeat SQL injection? This seems to defeat everything we've been able
to throw at it - though, we are not experts! 

I would definitely appreciate your opinions on this.

Dain White

Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440





-----Original Message-----
From: Davidson, Michelle [mailto:MDavidson@techtarget.com] 
Sent: Monday, April 10, 2006 2:15 PM
To: dainw@fsr.com; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
on biometrics


I checked with the author on this, and here is what he said:

"I did cover it in my article, but it was more in terms of Java then ASP.
If you look at point 9 of the 10 steps I mentioned in the article. It talks
about using dynamic queries instead of static queries. Static queries are
also known as parameterized queries and in point 9 I am trying to convey the
same message. In Java parametrized queries are created by using Statement
object and dynamic queries are created using PreparedStatement object. So,
by avoiding Statement object, the developers are avoiding parameterized
queries."

Michelle




From: dpw [mailto:dainw@fsr.com] 
Sent: Monday, April 10, 2006 1:23 PM
To: websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column
on biometrics

This is a well thought out article - though it omits mention of
parameterized queries...

Does anyone on this list have information on why parameterized queries
wouldn't be recommended to mitigate risk of SQL injection? 

Dain White

Senior Developer / Webmaster
dainw@fsr.com 208.882.8869 X440



-----Original Message-----
From: Davidson, Michelle [mailto:MDavidson@techtarget.com] 
Sent: Monday, April 10, 2006 9:57 AM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Tip on preventing SQL injection attacks/column on
biometrics
A frequent contributor to SearchAppSecurity.com -- Anurag Agarwal -- has
written a couple pieces you might be interested in. 

Note: Free registration to SearchAppSecurity.com required.


SQL injection: Developers fight back
http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179106,00.htm
l?Offer=WASC

Biometrics replacing passwords: Does authentication get better or worse?
http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179280,00.htm
l?Offer=WASC



Michelle


Michelle Davidson
Editor
SearchAppSecurity.com
TechTarget

4025 Sea Grape Circle
Delray Beach, FL  33445

Phone: 561-302-1120
Fax: 561-496-1860
AIM: MicheDav910

TechTarget 
The Most Targeted IT Media 
www.techtarget.com 



---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
--0-830117716-1144713624=:7753
Content-Type: text/html; charset=us-ascii

<html><head><style type="text/css"><!-- DIV {margin:0px} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>Dain,</DIV>
<DIV>&nbsp;</DIV>
<DIV>There are three things parameterized query, dynamic query and then stored procedures. I understand what you are trying to convey here and again as mentioned in the article, if the array strings you are passing as a parameter to the stored procedure are the input from the user then they should&nbsp;be validated (point 10:&nbsp;Sanitizing the input)&nbsp;using the validation technique mentioned at the bottom of the article. Though i have given&nbsp;an example in java but i&nbsp;hope you can get some idea by that. Please also note that all the input needs to be validated irrespective of whether it&nbsp;goes as&nbsp;a parameterized query, dynamic SQL or to a stored procedure. </DIV>
<DIV>&nbsp;</DIV>
<DIV>Hope that answers your question !!</DIV>
<DIV>&nbsp;</DIV>
<DIV>regards</DIV>
<DIV>anurag</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>----- Original Message ----<BR>From: dpw &lt;dainw@fsr.com&gt;<BR>To: websecurity@webappsec.org<BR>Sent: Monday, April 10, 2006 2:51:31 PM<BR>Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics<BR><BR></DIV>
<DIV>Interesting - not being a java developer, I realize there's probably a<BR>disconnect. We prefer (and rely on) "parameterized queries" here.<BR><BR>Being a simple unwashed heathen web-monkey, my term "parameterized query" is<BR>probably not the right term...<BR><BR>What I refer to as "parameterized query" is the act of passing the stored<BR>procedure parameters into the connection via an array, rather than as<BR>strings. <BR><BR>...in a nutshell:<BR><BR>IDValue = Request("IDValue) <BR>SQL = "Table_GetByID"<BR>ParameterArray = Array(IDValue)<BR>set RS = Exec(SQL,ParameterArray)<BR><BR>function Exec(StoredProcedure,ParameterArray)<BR>&nbsp;&nbsp;&nbsp;&nbsp;set cmd = Server.CreateObject("ADODB.Command")<BR>&nbsp;&nbsp;&nbsp;&nbsp;cmd.Connection = GetConnectionString() 'defined elsewhere<BR>&nbsp;&nbsp;&nbsp;&nbsp;cmd.CommandText = StoredProcedure<BR>&nbsp;&nbsp;&nbsp;&nbsp;cmd.CommandType = 4<BR>&nbsp;&nbsp;&nbsp;&nbsp;call
 cmd.Execute(,ParameterArray)<BR>&nbsp;&nbsp;&nbsp;&nbsp;cmd.Connection.Close()<BR>&nbsp;&nbsp;&nbsp;&nbsp;cmd = nothing<BR>end function<BR><BR><BR>Does anyone on this list have any feelings on whether or not this is a good<BR>way to defeat SQL injection? This seems to defeat everything we've been able<BR>to throw at it - though, we are not experts! <BR><BR>I would definitely appreciate your opinions on this.<BR><BR>Dain White<BR><BR>Senior Developer / Webmaster<BR>First Step Internet - <A href="http://www.fsr.com/"; target=_blank>www.fsr.com</A><BR>208-882-8869 ext. 440<BR><BR><BR><BR><BR><BR>-----Original Message-----<BR>From: Davidson, Michelle [mailto:MDavidson@techtarget.com] <BR>Sent: Monday, April 10, 2006 2:15 PM<BR>To: dainw@fsr.com; websecurity@webappsec.org<BR>Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column<BR>on biometrics<BR><BR><BR>I checked with the author on this, and here is what he said:<BR><BR>"I did cover it in my article, but
 it was more in terms of Java then ASP.<BR>If you look at point 9 of the 10 steps I mentioned in the article. It talks<BR>about using dynamic queries instead of static queries. Static queries are<BR>also known as parameterized queries and in point 9 I am trying to convey the<BR>same message. In Java parametrized queries are created by using Statement<BR>object and dynamic queries are created using PreparedStatement object. So,<BR>by avoiding Statement object, the developers are avoiding parameterized<BR>queries."<BR><BR>Michelle<BR><BR><BR><BR><BR>From: dpw [mailto:dainw@fsr.com] <BR>Sent: Monday, April 10, 2006 1:23 PM<BR>To: websecurity@webappsec.org<BR>Subject: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column<BR>on biometrics<BR><BR>This is a well thought out article - though it omits mention of<BR>parameterized queries...<BR><BR>Does anyone on this list have information on why parameterized queries<BR>wouldn't be recommended to mitigate risk of SQL
 injection? <BR><BR>Dain White<BR><BR>Senior Developer / Webmaster<BR>dainw@fsr.com 208.882.8869 X440<BR><BR><BR><BR>-----Original Message-----<BR>From: Davidson, Michelle [mailto:MDavidson@techtarget.com] <BR>Sent: Monday, April 10, 2006 9:57 AM<BR>To: websecurity@webappsec.org<BR>Subject: [WEB SECURITY] Tip on preventing SQL injection attacks/column on<BR>biometrics<BR>A frequent contributor to SearchAppSecurity.com -- Anurag Agarwal -- has<BR>written a couple pieces you might be interested in. <BR><BR>Note: Free registration to SearchAppSecurity.com required.<BR><BR><BR>SQL injection: Developers fight back<BR><A href="http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179106,00.htm"; target=_blank>http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179106,00.htm</A><BR>l?Offer=WASC<BR><BR>Biometrics replacing passwords: Does authentication get better or worse?<BR><A href="http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179280,00.htm";
 target=_blank>http://searchappsecurity.techtarget.com/tip/1,289483,sid92_gci1179280,00.htm</A><BR>l?Offer=WASC<BR><BR><BR><BR>Michelle<BR><BR><BR>Michelle Davidson<BR>Editor<BR>SearchAppSecurity.com<BR>TechTarget<BR><BR>4025 Sea Grape Circle<BR>Delray Beach, FL&nbsp;&nbsp;33445<BR><BR>Phone: 561-302-1120<BR>Fax: 561-496-1860<BR>AIM: MicheDav910<BR><BR>TechTarget <BR>The Most Targeted IT Media <BR><A href="http://www.techtarget.com/"; target=_blank>www.techtarget.com</A> <BR><BR><BR><BR>---------------------------------------------------------------------<BR>The Web Security Mailing List<BR><A href="http://www.webappsec.org/lists/websecurity/"; target=_blank>http://www.webappsec.org/lists/websecurity/</A><BR><BR>The Web Security Mailing List Archives<BR><A href="http://www.webappsec.org/lists/websecurity/archive/"; target=_blank>http://www.webappsec.org/lists/websecurity/archive/</A></DIV></DIV></div></body></html>
--0-830117716-1144713624=:7753--
Follow-Ups:
- Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
  - From: Brian Eaton
References:
- RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
  - From: dpw
Prev by Date: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Next by Date: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Previous by thread: RE: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Next by thread: Re: [WEB SECURITY] Tip on preventing SQL injection attacks/column on biometrics
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site