PDA

View Full Version : SQL Injection Help


malhyp
11-08-2006, 10:31 AM
Hi there I have created a site and I am told that I should protect my self against SQL Injection attacks. I have created the site using Dreamweaver and dont know if it creates code with this in mind. Can anyone suggest what to do?

Mally

davidj
11-08-2006, 11:18 AM
ok

sql injections work like this

here is a select statement

SELECT * FROM USER WHERE USER_ID='$ID'

Ok so as you can see from that statement $ID is literal and is expecting some value from a field possibly called id

what if you key in that field dj's

the sql then looks like this

SELECT * FROM USER WHERE USER_ID='dj's'
NOTE the additional single quote
in the sql so dj becomes 'dj's' = 3 single quotes

if the ID field is not getting validated against this then you will get a syntax error as you would expect. For a hacker this is a good thing! He now knows that the door has been left open

lets take that example again but add some mischief
SELECT * FROM USER WHERE USER_ID='$ID'
in the ID field you could type
david' or like '%
as you can see from the example i am closing the quote in the sql string by adding my own after david' then i am now free to inject my own sql command inside the original then close the last quote @ '% because i know that the sql in the script will finish the quote off for me
what about this then
SELECT * FROM USER WHERE USER_ID='\''; DROP TABLE USER
I have to guess the name of the table i am targeting but in this case it didnt take long. Just use a
SELECT count (*) as count from [GUESS TABLE]
as an injection.

If you get a value back or dont get an error you guessed correctly and you now know the table name! Ideal if you want to perform some drop table comedy

dont be obvious with your naming conventions and always check and validate field data before parsing it through a SQL statement
Also use add_slashes (although this is not a security headache tablet!!!)

malhyp
11-13-2006, 10:00 AM
Ok i think i understand. As an example should I say that the following code created by Dreamweaver is safe from sql injection?

<%
Dim rsSupplierDetails
Dim rsSupplierDetails_numRows
Set rsSupplierDetails = Server.CreateObject("ADODB.Recordset")
rsSupplierDetails.ActiveConnection = MM_conn_STRING
rsSupplierDetails.Source = "SELECT * FROM Query1 WHERE SupplierName = '" + Replace(rsSupplierDetails__MMColParam, "'", "''") + "'"
rsSupplierDetails.CursorType = 0
rsSupplierDetails.CursorLocation = 2
rsSupplierDetails.LockType = 1
rsSupplierDetails.Open()
rsSupplierDetails_numRows = 0
%>

Cheers
Mally

davidj
11-13-2006, 10:14 AM
if your using MYSQL it appears (i may be wrong ) that nested sql is illegal anyway and will fail but in other db's its allowed

malhyp
11-13-2006, 10:03 PM
Hey there David and thanks for the information above, it is helping me to understand it a little better. Still not 100% but getting there. I beleive that I am using Transact SQL.

Thanks again.

MAlly
:)

Torgut
04-24-2007, 09:38 AM
Hello !

My server was assaulted and I was told by the assisting technician that most likely code generated my Dreamweaver 8 was the origigin of the exploitation. I was astonsished and ran a google search only to find that in fact earlier releases of DW generated vulnerable code. I downloaded the fixer (8.0.2) and now my question is:

What exactly should I do to fix the code? I'm no coder at all, just a simple stupid designer. Is it enough to open the files, open Recordset dialog box, close it and save the file?

Thank you in advance !

davidj
04-24-2007, 10:10 AM
hi mate

im sorry but unless you know what is and isnt a security hole then your stuck

I like dreamweaver but use it as an expensive notpad where i hand code everything (apart from HTML where i just cant be bothered).

These wizards that produce code are very dangerous. How can you debug security holes when you dont understand the code your trying to fix? Its like asking a hairdresser to clear a mine field.

I have never heard of that patch and wouldnt trust it anyway.

Torgut
04-24-2007, 11:24 AM
What you are telling me is that practically all webservers in the world are wide open as Dreamweaver is by far the most popular tool for webdesign and I doubt there is a single hosting server which doesn't host a site built with these wizards. This kind of wide logic it's hard to swallow. But I have the feeling that from this point on this conversation will be useless.

You see danger here; I, assuming that no exploits were found in DW Code genereation besides the one which we are talking about, don't.

If one Googles "Dreamweaver SQL Injection" this fix will be shown in the first ten or so entries. Not some kind of obscure and unknown improvement.

My initial question remains though. Just wanna know how to update initial code with the new code: opening the Recordset box and save the file afterwards...? if someone knows.... ?

davidj
04-24-2007, 11:43 AM
What you are telling me is that practically all webservers in the world are wide open as Dreamweaver is by far the most popular tool for webdesign and I doubt there is a single hosting server which doesn't host a site built with these wizards.


the web servers arnt at fault its bad code which produces the security holes and its bad code that hackers look for as its easier than trying to hack servers

and if you cant tell the difference between badly writen code then your walking down a path which leads to court action if you write something that effects someones financial interests.

if a client came along... say a bank! who wants an ebanking solution would you turn it down because dreamweaver dosnt have an extension for that or would you take the job anyway?

domedia
04-24-2007, 02:22 PM
My initial question remains though. Just wanna know how to update initial code with the new code: opening the Recordset box and save the file afterwards...? if someone knows.... ? As far as I know you have to update DW, and then recreate the code used in order for DW to generate the correct code.

Torgut
04-24-2007, 03:37 PM
David, I was only mentioning that any server in this world is automaticaly compromised, according to your point of view, as you will find websites built with DW wizards in any of those boxes.

Yes, I would turn it down that customer. Can't play all the orchestra at the same time.

Domedia... DW is updated. I don't see any option like "Recreate" or "Update" code. It's hard to believe that one have to actually rebuild everything. I noticed though that if one opens the recordset, the function SAVE file becomes available, showing that code was changed.

Still looking for the right procedure to get updated code after installing DW 8.0.2 patch.

domedia
04-24-2007, 03:46 PM
I noticed though that if one opens the recordset, the function SAVE file becomes available, showing that code was changed. That might be it, sounds like DW automatically fixed your code 8)

davidj
04-25-2007, 07:25 AM
Yes, I would turn it down that customer. Can't play all the orchestra at the same time.


i wouldnt use the word orchestra and drag-n-drop code in the same sentence really...

since we are using an orchestral metaphor let me give you a visual idea of what im on about using musical tools to highlight my point...

pic 1 is me

pic 2 is you

davidj
04-25-2007, 07:39 AM
addition...

That might be it, sounds like DW automatically fixed your code

yeah right!

pic1 = this is how dreamweaver did this scientifically

pic2 = is the code still shite

domedia
04-25-2007, 02:25 PM
But still answered the original question (maybe).

davidj
04-25-2007, 02:38 PM
maybe isnt an answer

its an excuse that you dont know the true answer to the question

domedia
04-25-2007, 03:57 PM
I'm just trying to help people out, and I think this might help the OP but we'll wait and see (thus the 'maybe')