Forum Moderators: open
I want to use indexing service for the serch page of a website.
I found the following code to do it:
If I'm not wrong that looks sensible to sql injection. I tried to use parameters to avoid it but I'm having problems:
This is my code:
strQuery = "Select DocTitle,Filename,Characterization, Size,PATH,URL, rank from Scope() where FREETEXT('?') ORDER BY rank DESC";
string connstring = "Provider=MSIDXS.1;Integrated Security .='';Data Source="+strCatalog;
try
{
OleDbConnection conn = new OleDbConnection(connstring);
conn.Open();
//
OleDbCommand dataCommand = new OleDbCommand(strQuery, conn);
OleDbDataAdapter cmd = new OleDbDataAdapter();
//
dataCommand.Parameters.Add("@p1", OleDbType.VarChar).Value = TextBoxSearch.Text;
cmd.SelectCommand = dataCommand;
DataSet testDataSet = new DataSet();
cmd.Fill(testDataSet, "SearchResults");
DataView source = new DataView(testDataSet.Tables[0]);
DataGridResults.DataSource = source;
DataGridResults.DataBind();
...
*****************************************************
I'm getting the following error:
The ICommandWithParameters interface is not supported by the 'MSIDXS.1' provider. Command parameters are unsupported with the current provider.
*****************************************************
Is there any way to use parameters with indexing services?
You have a read only catalog, so there's no chance of them modifying it, and all the data in the catalog is publically accessable anyway (so there's no chance of them getting information that they're not authorised to).
Am I missing something?
strQuery = "Select DocTitle,Filename,Size,PATH,URL from Scope() where FREETEXT('" +TextBox1.Text+ "')";
as you can inject SQL there.
I don't know what could be done through that injection. If it's just seeing the catalog, as you said that's ok. Is it something else? I don't know.
You need to scrub the data and remove anything charactors that can be used in SQL injection - namely the apostrophe.
Paco-
Option 1: Build a utility that replaces 1 single quote with 2 single quotes in your dynamic SQL string.
Option 2: Put your query in a stored procedure (as it should be anyway).
Select DocTitle,Filename,Size,PATH,URL from Scope() where FREETEXT(' --- Drop Table myTable
As ASPDaddy has mentioned, there's more than apostrophe's that you have to guard against when protecting aginst SQL injection. I'd assume that the original poster would do apostrophe replacement as this is a web seach and people will use apostrophes in their search.
As I said before, I wouldn't fret about it too much. There's not much a hacker can do with the Indexing Service.
Mattglet, please explain how you create stored procedures in the Windows Indexing ServiceAs ASPDaddy has mentioned, there's more than apostrophe's that you have to guard against when protecting aginst SQL injection. I'd assume that the original poster would do apostrophe replacement as this is a web seach and people will use apostrophes in their search.
As I said before, I wouldn't fret about it too much. There's not much a hacker can do with the Indexing Service.
Glad the situation is not that dangerous as I thought.
I also agree there are more things to injection than the single quote, some are pretty ingenious and you just can't count on having a bad word list as you can be sure you'll miss some.
