Cannot get classic ASP parameterized queries working when using Symmetric key encryption

Question

I have the key and certificate setup ok on the database and I can encrypt ok when entering queries directly using HeidiSQL. But the problem I am having is getting this to work using classic asp. I have setup a simple table for testing which contains an auto increment identity column and a var binary max column for holding the encrypted data.

Here is my code:

chtest.commandtext="OPEN SYMMETRIC KEY SymmetricKey DECRYPTION BY CERTIFICATE [Certificate];"

set rschtest = chtest.execute

chtest.commandtext="INSERT into thetable(thevalue) values(?)"

chtest.Parameters.Append chtest.CreateParameter ("@thevalue", adVarBinary, adParamInput,8000, "EncryptByKey(Key_GUID('SymmetricKey'), 'some text here')"  )

set rschtest = chtest.execute

This seems to work as binary data gets entered into the table but when decrypting it directly on the server then it just shows 'Null'.

Doing these queries directly on the server does work, for example:

OPEN SYMMETRIC KEY SymmetricKey DECRYPTION BY CERTIFICATE Certificate
INSERT INTO thetable (thevalue) VALUES (EncryptByKey(Key_GUID('SymmetricKey'), 'some text here'))

and then...

OPEN SYMMETRIC KEY SymmetricKey DECRYPTION BY CERTIFICATE [Certificate]
SELECT CONVERT(varchar, DecryptByKey(thevalue)) AS thevalue FROM thetable

works and shows the correct decrypted value.

I think the problem when using the classic asp method is something to do with having to insert the encrypted string into the varbinary as a varchar? Or something like this.

Also, if I don't use parameterized queries then everything works ok but obviously I want to use prepared queries for security.

Note this this is a legacy application so I have to use classic asp.

Any help appreciated.

Answer 1

You need a bit of restructuring of the ADODB.Command at the moment the .CreateParameter() call makes no sense. You should always pass the base data type of a value through parameters any manipulation afterwards (in this case by EncryptByKey()) should be done inside the query defined by CommandText.

Dim sql: sql = ""

sql = sql & "OPEN SYMMETRIC KEY SymmetricKey DECRYPTION BY CERTIFICATE [Certificate]" & vbCrLf
sql = sql & "INSERT INTO thetable (thevalue) VALUES (EncryptByKey(Key_GUID('SymmetricKey'), ?))"

With chtest
  .ActiveConnection = your_connection_string
  .CommandText = sql
  .CommandType = adCmdText
  Call .Parameters.Append(.CreateParameter("@thevalue", adVarChar, adParamInput, 8000, "some text here")

  'As you are doing an INSERT use adExecuteNoRecords to cut down on processing 
  'and improve performance.
  Set rschtest = chtest.Execute(, , adExecuteNoRecords)
End With

You will notice that I've changed

.CreateParameter ("@thevalue", adVarBinary, adParamInput,8000, "EncryptByKey(Key_GUID('SymmetricKey'), 'some text here')"  )

to

.CreateParameter("@thevalue", adVarChar, adParamInput, 8000, "some text here")

This is because when you are manipulating a base value in this case the string 'some text here' any manipulation of it needs to be done outside of passing the base value. That is why the .CommandText now contains EncryptByKey(Key_GUID('SymmetricKey'), ?) so only the base value is passed via the Parameter collection during execution.