0

Setting my var:

Foo = request("Bar")

Building SQL Query:

John.Source = "SELECT ID, Name FROM dbo.USER where Name = '"&Foo&"' and ID = '1'"

I found this in someones project, does this open the door for SQLi ?

Improve this question
4
  • From where are you requesting Foo? Commented May 7, 2013 at 13:34
  • It is if "Bar" is exposed to outer world (obtains its value from user input, some other system etc). E.g. Bar = x'; delete from dbo.USER; commit -- Commented May 7, 2013 at 13:43
  • 2
    You should use a parameterized query to your database, much safer Commented May 7, 2013 at 13:55
  • @Christian it doesn't matter actually Commented May 12, 2013 at 7:02

2 Answers 2

Reset to default
5

Absolutely. request("Bar") will take parameters off the Request.QueryString or the Request.Form collection.

This means that you can in theory tag the following onto the querystring:

'; delete * from dbo.USER; select * from user where name='

Which will give you a query of 

SELECT ID, Name FROM dbo.USER where Name = ''; delete * from dbo.USER; select * from user where name='' and ID = '1'

As one of the commenters said, use parameterized queries instead.

If this really isn't an option then be sure to escape values obtained from the Request collection. This link may help: http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Yes it is. You need to sanitise the value before inserting it into the query like that. Or use parameterised queries, which is a safer option.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.