SQL injections

Thanks Murray - I'll take a look at that - should have added though that it's a MS SQL database and our websites are all in ASP (unfashionable I know!)...

The concepts would be the same, though.

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Square Eye" <contact@squareeye.com> wrote in message
news:fgf3us$g6q$1@forums.macromedia.com...
> Thanks Murray - I'll take a look at that - should have added though that
> it's a MS SQL database and our websites are all in ASP (unfashionable I
> know!)...

You're right - very helpful, having read it, thanks. I'm not sure how much log data I'll be able to get from our very unhelpful hosts though, but I'll try...

Use Stored Procedures!!

"Square Eye" <contact@squareeye.com> wrote in message
news:fgf002$b8k$1@forums.macromedia.com...
> Hello
>
> Twice in the two weeks our database has been hacked, we think (or are
> advised)
> via a SQL injection. The database handles a number of small websites but
> one
> or two with a reasonable number of users. The hacking attempt seems
> designed
> to get users to download a javascript file and install a trojan on their
> machines.
>
> I can't pretend to be a security expert or to have always written
> perfectly
> secure code. Although I generally understand the issues (and know to look
> for
> SELECT/INSERT/UPDATE/DELETE statements which allow users to submit
> variables),
> I have no idea how to find vulnerabilities quickly, since there are
> hundreds or
> thousands of pages across these multiple websites.
>
> There do seem to be professional SQL injection scanning services out there
> but
> some require installation of software on the server (we can't, since we're
> on a
> shared server setup at our host), or cost far too much for us.
>
> Can anyone recommend a free utility or a good technique for locating the
> problem?
>
> Thanks if you can help!
>
> Square Eye
>

How would that help?

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Pat Shaw" <pat@nomail.com> wrote in message
news:fgj72f$o7$1@forums.macromedia.com...
> Use Stored Procedures!!
>
> "Square Eye" <contact@squareeye.com> wrote in message
> news:fgf002$b8k$1@forums.macromedia.com...
>> Hello
>>
>> Twice in the two weeks our database has been hacked, we think (or are
>> advised)
>> via a SQL injection. The database handles a number of small websites but
>> one
>> or two with a reasonable number of users. The hacking attempt seems
>> designed
>> to get users to download a javascript file and install a trojan on their
>> machines.
>>
>> I can't pretend to be a security expert or to have always written
>> perfectly
>> secure code. Although I generally understand the issues (and know to
>> look for
>> SELECT/INSERT/UPDATE/DELETE statements which allow users to submit
>> variables),
>> I have no idea how to find vulnerabilities quickly, since there are
>> hundreds or
>> thousands of pages across these multiple websites.
>>
>> There do seem to be professional SQL injection scanning services out
>> there but
>> some require installation of software on the server (we can't, since
>> we're on a
>> shared server setup at our host), or cost far too much for us.
>>
>> Can anyone recommend a free utility or a good technique for locating the
>> problem?
>>
>> Thanks if you can help!
>>
>> Square Eye
>>
>
>

They're much more secure for a number of reasons. Take a look at the
following:

http://aspalliance.com/385_Using_SQL_Server_Stored_Procedures_To_Prevent_SQL_Injection.1


"Murray *ACE*" <forums@HAHAgreat-web-sights.com> wrote in message
news:fgkcvg$gno$1@forums.macromedia.com...
> How would that help?
>
> --
> Murray --- ICQ 71997575
> Adobe Community Expert
> (If you *MUST* email me, don't LAUGH when you do so!)
> ==================
> http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
> http://www.dwfaq.com - DW FAQs, Tutorials & Resources
> ==================
>
>
> "Pat Shaw" <pat@nomail.com> wrote in message
> news:fgj72f$o7$1@forums.macromedia.com...
>> Use Stored Procedures!!
>>
>> "Square Eye" <contact@squareeye.com> wrote in message
>> news:fgf002$b8k$1@forums.macromedia.com...
>>> Hello
>>>
>>> Twice in the two weeks our database has been hacked, we think (or are
>>> advised)
>>> via a SQL injection. The database handles a number of small websites
>>> but one
>>> or two with a reasonable number of users. The hacking attempt seems
>>> designed
>>> to get users to download a javascript file and install a trojan on their
>>> machines.
>>>
>>> I can't pretend to be a security expert or to have always written
>>> perfectly
>>> secure code. Although I generally understand the issues (and know to
>>> look for
>>> SELECT/INSERT/UPDATE/DELETE statements which allow users to submit
>>> variables),
>>> I have no idea how to find vulnerabilities quickly, since there are
>>> hundreds or
>>> thousands of pages across these multiple websites.
>>>
>>> There do seem to be professional SQL injection scanning services out
>>> there but
>>> some require installation of software on the server (we can't, since
>>> we're on a
>>> shared server setup at our host), or cost far too much for us.
>>>
>>> Can anyone recommend a free utility or a good technique for locating the
>>> problem?
>>>
>>> Thanks if you can help!
>>>
>>> Square Eye
>>>
>>
>>
>

.oO(Pat Shaw)

>They're much more secure for a number of reasons. Take a look at the
>following:
>
> http://aspalliance.com/385_Using_SQL_Server_Stored_Procedures_To_Prevent_SQL_Injection.1

Even with stored procedures you should know what you're doing. They
might make it harder to shoot your own foot, but it's still possible.

But it doesn't necessarily have to be an SP to prevent SQL injection.
The example from the tutorial can also be accomplished with a simple
prepared statement.

Micha

That's what I thought. The SP in itself doesn't have any effect on SQL
injection vulnerability....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
==================


"Michael Fesser" <netizen@gmx.de> wrote in message
news:5psri39rlu2ni510ithi3509thfuo7i2qk@4ax.com...
> .oO(Pat Shaw)
>
>>They're much more secure for a number of reasons. Take a look at the
>>following:
>>
>> http://aspalliance.com/385_Using_SQL_Server_Stored_Procedures_To_Prevent_SQL_Injection.1
>
> Even with stored procedures you should know what you're doing. They
> might make it harder to shoot your own foot, but it's still possible.
>
> But it doesn't necessarily have to be an SP to prevent SQL injection.
> The example from the tutorial can also be accomplished with a simple
> prepared statement.
>
> Micha

Agreed. I didn't suggest they were the ultimate cure but they certainly help
when used correctly.

SP's should be the standard method anyway, certainly over embedded SQL. I do
appreciate that not every developer will have access to them though.


"Michael Fesser" <netizen@gmx.de> wrote in message
news:5psri39rlu2ni510ithi3509thfuo7i2qk@4ax.com...
> .oO(Pat Shaw)
>
>>They're much more secure for a number of reasons. Take a look at the
>>following:
>>
>> http://aspalliance.com/385_Using_SQL_Server_Stored_Procedures_To_Prevent_SQL_Injection.1
>
> Even with stored procedures you should know what you're doing. They
> might make it harder to shoot your own foot, but it's still possible.
>
> But it doesn't necessarily have to be an SP to prevent SQL injection.
> The example from the tutorial can also be accomplished with a simple
> prepared statement.
>
> Micha

.oO(Pat Shaw)

>Agreed. I didn't suggest they were the ultimate cure but they certainly help
>when used correctly.

Agreed.

>SP's should be the standard method anyway, certainly over embedded SQL.

IMHO it depends. For more complex tasks SPs are certainly a good choice,
but for rather simple queries it would be too much work for me to set
them up.

Micha

I'm not sure what your background is Michael, but as a DBA and looking at
this from a DBA's perspective, the use of SP's wins every time. Just my view
:-)

"Michael Fesser" <netizen@gmx.de> wrote in message
news:b9mti3h5igm622ernbg37q374p56egkslg@4ax.com...
> .oO(Pat Shaw)
>
>>Agreed. I didn't suggest they were the ultimate cure but they certainly
>>help
>>when used correctly.
>
> Agreed.
>
>>SP's should be the standard method anyway, certainly over embedded SQL.
>
> IMHO it depends. For more complex tasks SPs are certainly a good choice,
> but for rather simple queries it would be too much work for me to set
> them up.
>
> Micha

"Michael Fesser" <netizen@gmx.de> wrote in message
news:5psri39rlu2ni510ithi3509thfuo7i2qk@4ax.com...
> .oO(Pat Shaw)

> The example from the tutorial can also be accomplished with a simple
> prepared statement.

Micha, can you give any examples of employing prepared statements in the PHP
MYsql servermodel?
I've seen term used frequently in windows based dbms drivers, and I'm
currently using the phAKT servermodel thet employs a PHP abstraction library
that mimics ADO, but I've never heard of prepared statements in conjunction
with PHP MySQL, now that I'm interested I'm thinking of extending the
PHP_MySQL servermodel with a Command SB that would allow for type checking
in PHPMySQL.

regards

Joris

Joris van Lier wrote:
> Micha, can you give any examples of employing prepared statements in the
> PHP MYsql servermodel?

Not Micha, but...

You cannot use prepared statements with the original PHP MySQL
extension. You need to use MySQL Improved (requires PHP 5 and MySQL 4.1)
or PDO (requires PHP 5.1).

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

.oO(David Powers)

>Joris van Lier wrote:
>> Micha, can you give any examples of employing prepared statements in the
>> PHP MYsql servermodel?
>
>Not Micha, but...

You can explain some things better than I. ;)

Micha

"David Powers" <david@example.com> wrote in message
news:fgmura$s0s$1@forums.macromedia.com...
> Joris van Lier wrote:
>> Micha, can you give any examples of employing prepared statements in the
>> PHP MYsql servermodel?
>
> Not Micha, but...
>
> You cannot use prepared statements with the original PHP MySQL extension.
> You need to use MySQL Improved (requires PHP 5 and MySQL 4.1) or PDO
> (requires PHP 5.1).

Thanks for explaining that David,
I guess this is another reasone for me to hold on to PHAkt (it supports both
MySQLi and PDO)

Joris