Is it possible to prevent parameter tampering by using parameterized queries in classic asp. If it's not what is the proper way to prevent it?
Thank you.
Asked
Active
Viewed 1,103 times
1 Answers
0
Assuming that you are using ADODB to make your SQL queries you could parametrize them like so:
<%
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open "some connection string"
set cmd = Server.CreateObject("ADODB.Command")
cmd.ActiveConnection = conn
cmd.CommandText = "SELECT * FROM some_table WHERE id = ?"
cmd.CommandType = adCmdText
cmd.Parameters.Append cmd.CreateParameter("@id", adInteger, adParamInput, request("id"))
set rs = cmd.Execute
...
%>
In this example the id parameter in the query is parametrized as it is coming from user input (request("id")).
Darin Dimitrov
- 1,023,142
- 271
- 3,287
- 2,928
-
Does that means that parameter tampering attack has been prevented? – Grigoris Papoutsis May 07 '16 at 13:01
-
1I am not sure what `parameter tampering attack` means in this context. The purpose of parametrized queries is to protect you against SQL injection which usually could be achieved when user input is directly used without sanitizing. Parametrized queries will ensure that the user input will be properly sanitized before sending to the database engine. – Darin Dimitrov May 07 '16 at 13:08
-
@GrigorisPapoutsis user will still be able to send malicious contents e.g. [XSS attack](https://en.wikipedia.org/wiki/Cross-site_scripting) - to prevent those, you'll have to actually check the contents of the input, or to make sure you sanitize it when displaying. – Shadow The GPT Wizard May 08 '16 at 12:32
-
OK, I think i got it now. Thanks a lot guys. – Grigoris Papoutsis May 09 '16 at 08:21