3

I'm not experienced with these sorts of things so I would just like to ask if I was to use the code below will I be safe from a MS SQL Injection attacks / anything like that?

' OPEN DATABASE
dim objConn,objRS,objTRS,objUnit

Set objConn = Server.CreateObject("ADODB.Command") 
objConn.ActiveConnection = "Driver={SQL Server};Server=MSSQLSrv;Database=DbTest;UID=blablabala;PWD=blablabala"

strQuery = "SELECT USERNAME,PASSWORD from CUSTOMERS where EMAIL=?"
objConn.CommandText=strQuery 
objConn.Parameters(0) = Request.QueryString("email")
SET objRS = objConn.execute(strQuery)
podiluska
  • 50,950
  • 7
  • 98
  • 104
msvuze
  • 1,367
  • 2
  • 11
  • 21

1 Answers1

1

By using parameterisation, you protect from SQL injection.

But you don't protect from cross site scripting attacks.

Additionally, you should hash your userpassword in the database, and check for a match against the hash, rather than storing it in plain text.

Nor, by allowing the website to do a select against the customers table, is your data particularly secure. If your webserver is compromised, so is your data. One way of reducing this vulnerability is by using stored procedures rather than raw SQL in your code.

( And for your sanity and future employability, you might want to move away from classic ASP to .Net :) )

podiluska
  • 50,950
  • 7
  • 98
  • 104
  • I'm inferring the user/pwd was for demonstration, but if not, even storing a hash in the database implies the ability to *reconnect* to the database to check the hash. So, a valid username/password local to the application (perhaps stored in an encrypted config file) will still be necessary... – David W Aug 21 '12 at 15:30
  • funny, I was just reading about the hash stuff! But I will ask another question RE: that. but can you tell me where I can find more info. on how to protect from cross site scripting attacks in asp-classic ? – msvuze Aug 21 '12 at 15:32
  • @DavidW I was refering to the user/password in the SQL, not the connection – podiluska Aug 21 '12 at 15:32
  • @user1612407 http://stackoverflow.com/questions/725875/anti-xss-and-classic-asp (see also, move to ASP.net, which is better for this kind of thing :) ) – podiluska Aug 21 '12 at 15:33
  • @podiluska ooh, this is for the output if someone was to store for example in my field an email address that is not really an email address but a javascript or something like that GOT IT. THANKS! – msvuze Aug 21 '12 at 15:35
  • 1
    @podiluska LOL I was so busy looking at the connection I didn't bother to notice what he was returning in the query. DOH on me :) – David W Aug 21 '12 at 15:39
  • 1
    I would make the suggestion to @user1612407: read this article and digest it http://crackstation.net/hashing-security.htm – Robert Kaucher Aug 21 '12 at 15:40
  • @DavidW How can I secure the connection string in asp-classic ? I tried to Google it but I cannot find anything that is easy for me to understand or add without moving to a different language. or can I store it in the web.config file ? and then somehow call it into asp-classic?. Thank you. – msvuze Aug 21 '12 at 16:16
  • 1
    @user16212407 Classic ASP doesn't really have much in the way of native security/protection for connection strings, which was one of its base shortcomings when they sat down to design ASP.NET. If you can't move to the .NET platform, you might have to look at rolling your own (or adapting some existing) encryption tools, because you really don't want plain passwords hanging around :) – David W Aug 21 '12 at 16:29
  • @DavidW yea i cannot move to .net, i will look for some encryption tools for the connection and I will update this page if I find any. Thanks so much for all of your help. – msvuze Aug 21 '12 at 16:39
  • @podiluska I will accept your answer, thank you so much for all of your help with my question, it looks like you know alot about this and I would like to ask you if you can please show me an example using my example on how to use/do the store procedure(s) rather then raw sql code. Thanks again for everything. – msvuze Aug 21 '12 at 16:42
  • @user1612407 This looks like a fairly decent example http://classical-asp.blogspot.co.uk/2010/08/executing-store-procedure-sp-in-asp_18.html – podiluska Aug 21 '12 at 17:39
  • @podiluska Excellent Thank you so much for all of this! :) – msvuze Aug 21 '12 at 18:01