• reveal the holes in your webserver: nikto 1.35
  
• reveal the holes in your webserver: nikto 1.35 ciont
  
• securing you box with bastille
  
• securing your box with bastille cont
  
• securing your box with bastille cont 2
  

• forensic process and tricks
  
• forensic process and tricks cont
  
• forensic analysis of malcode - step by step
  
• advanced web-based honeypot techniques
  
• custom web-based honeypots with ghh
  

• smtp relay honeypot
  
• web exploits - don't be a victim
  
• scripting internet connections under windows
  
• credit card security
  
• cross posted sql injection measures
  

• making your windows pc more private and secure
  
• a quick introduction to tcp session hijacking
  
• the definitive guide to chrooting
  
• the definitive guide to chrooting cont
  
• te definitive guide to chrooting cont 2
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials4
  

CROSS POSTED SQL INJECTION MEASURES


Shippwreck wrote: ...I find that SQL Injection is one of those things that everyone agrees poses a major security risk, but if i ask the question what techniques to use to combat it or what are the key/most common things to look out for in your coding that leave you wide open the room goes eerily quiet...

Well, here's what I do...

The ContainsSQL function below accepts a string value and checks for a ';' character (that's required for SQL stuffing) outside of string deliminators.

Let's say your script uses a variable as a modifier for an SQL command. The variable is collected from the request string and is called "Variable" - so to get the value in code you'd request("Variable").

Your code might look like this:
Code:

sqlq = "select * from '"& request("Variable") &"'"
sql.execute(sqlq)


A black hat might fill in the Variable field with "A Variable.';[sql exploit here]". The sql injection would mean that the SQL statement you executed would read like this:

Code:
select * from 'A Variable.';[sql exploit here]


because the use of the ';' begins a new line in the SQL parser.

To check this you'd call the function from your (asp) code like this:
Code:

<%
if object.ContainsSQL(CSTR(Request("Variable"))) then
 response.write "<h2>Thank you. <h2>"
 response.write "Your IP address has been logged.<br>"
 response.write "Please step away from the computer,<br>"
 response.write "place your hands behind your head<br>"
 response.write "and await the arrival of a local law<br>"
 response.write "enforcement official."
end if
%>


The function
Code:

Private Function ContainsSQL(tValue As String) As Boolean

  Dim l, n
 
  ClearError
  On Error GoTo 10
 
  ContainsSQL = False
  
  ' Ensure the statement does not contain ; outside of string deliminators (')
  ' (To 'stop SQL stuffing exploits)
  l = 1
  For n = 1 To StringsCls.CountInString(tValue, ";")
    l = InStr(l, tValue, ";")
    If (StringsCls.OddEven(StringsCls.CountInString(Left(tValue, l), "'")) = 0) Then
      ContainsSQL = True
      Exit Function
    End If
    l = l + 1
  Next

10:
  If Not Err.Number = 0 Then
    'stop
    mError.Number = Err.Number
    mError.Description = Err.Description
    SendTrace "ContainsSQL", "Error #" & Err.Number & ": " & Err.Description
  End If
 
End Function

Original Tutorial by ntsa for TheTAZZone-TAZForum

Originally posted on March 8th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.