Octavious - 3:13 pm on Dec 8, 2011 (gmt 0)
Was able to clear up our database and restore our sites (had to shut down six for almost 24hours - aaargh) after getting attacked twice. Discovered the injection point in one of our old sites that had a weak sql statement. Learned alot in the past few days and now trying to update most bad/old statements and include validations in all our input forms.
By the way, our attack was injected from an FAQ index page that has a hyperlink (looks like this: faqdsp.asp?id=1234) to the full documentation page. This was one of two pages that we neglected to update over the past couple of years. A quick google of this actual page name "faqdsp" results in massive sql injection issues along with the page "download".
Im hearing alot about using parameterized queries and tried the above example by softy but couldn't get it to work on our Classic ASP pages. Was wondering if anyone can help me convert the following connection/queries to parameterized queries. Also, will this only work with Stored Procedures? Im not familiar with store procedures but will likely learn and apply.
Here are our current codes:
'This our connection string that is called from an include page:
Set OBJdbConnection = Server.CreateObject("ADODB.Connection")
OBJdbConnection.Open "Provider=sqloledb;Data Source=somesite.com;Initial Catalog=somecatalog;User Id=sa;Password=somepwd;"
'This is a typical sql query (yes, I know, it's weak!):
xid = Request.Form.Item("someid")
SQL_query = "SELECT * FROM sometable WHERE (tblid = "&xid&")"
Set rs = OBJdbConnection.Execute(SQL_query)
'This is how we display the results:
xname = rs("name")
Any help as always is greatly appreciated.