Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
harrisa
Starting Member
4 Posts |
 Posted - 2009-09-17 : 17:22:33
|
| Hello, I've been trying to fix all of our injectable asp code by using the code you've posted on this page. I am not assigning the recordset to an array because of the workload. What I'm noticing is a lot of problems using the returned recordset. For example, I cannot move back and forth through it by .movefirst. Basically I've change something like thisSet rsCat = Server.CreateObject("ADODB.Recordset")iItemID = Request.QueryString("item")SQLCat = "SELECT * FROM Catalog"rsCat.open SQLCat, Conn, adOpenKeyset, adLockOptimisticTo something like this:set objDBCommand = Server.CreateObject("ADODB.Command") objDBCommand.ActiveConnection = Conn objDBCommand.CommandText = "SELECT * FROM Catalog WHERE CurrentAvail=1 AND ProductNum=?" objDBCommand.CommandType = 1 set objDBParam = objDBCommand.CreateParameter("@ProductNum",200,1,50) objDBCommand.Parameters.Append objDBParam objDBCommand.Parameters("@ProductNum") = iItemID set objDBParam = Nothing 'set rsCat = objDBCommand.ExecuteUnfortunately much of the code to follow that does various things with the recordset does not work when using the parameterized query. Thoughts?thanks |
|
|
harrisa
Starting Member
4 Posts |
Posted - 2009-09-18 : 10:41:20
|
| Anyone? |
 |
|
|
TG
Master Smack Fu Yak Hacker
6065 Posts |
Posted - 2009-09-18 : 11:12:11
|
| I'm not sure why you have different functionality after you get back your result set depending on if you used a parameterized query or not. That doesn't make sense to me. But in my opinion if you're concerned about sql injection then you should not execute (inline) sql statements that you construct based on user input - but rather call parameterized stored procedures (that doesn't use dynamic sql). That way no matter what the user types into your application field the text can't be used as an independent sql statement.Be One with the OptimizerTG |
|
|
|
harrisa
Starting Member
4 Posts |
Posted - 2009-09-18 : 11:37:05
|
| Thank you! I was under the impression that what I did was completely preventing injection. Please explain. Are you saying that what I am doing is not immune to injection? All of my research pointed to that as being a secure way to do the query. I also tested the code before and after with injection testing software and it came up tons of red flags before and none after????The particular error I am getting alot is when the code attempts to do a movelast, then movefirst, etc on the recordset. This causes errors rowposition cannot be changed, etc. I'm wondering if there is a way I can open the recordset up using this supposed safe method, but leave all the code acting on the recordset the same so that I don't have to change a whole bunch of code.Thanks |
|
|
|
TG
Master Smack Fu Yak Hacker
6065 Posts |
|
|
|
|
|
|
|
Trying to prevent SQL injection