It's not the form itself that allows SQL injection.

What you need to be fixing is the "forms handler" script/program to which the form data is sent. That is what is allowing the malicious SQL commands to slip through.

All other ASP scripts should be checked, too.
At every location where input is received from a user, that input has to be "sanitized" before it is used for any purpose.

I am not sure if your using Asp.net or Asp Classic.

If you are using Asp.Net the following link may be of use to you.
How To: Protect From SQL Injection in ASP.NET [msdn.microsoft.com]

The site is in ASP classic. Thanks for the input. Shouldn't my host be helping me out? Is there any other way they could get in? We have a search function on the homepage. Can they get in through ANY form on the site even though it's not connected to the DB?

As long as you have the page that is vulnerable and still accessible from the public web they can continue hacking you. As long as that page is public, they do not need any other page referencing it anymore now that they know about it. They have it coded to find it and abuse it now. Only way is to remove or fix the page which has the vulnerability.

Unless this is a case where the server software itself has been compromised (which it doesn't sound like), this isn't the host's responsibility.

If someone can get code injected into your site that gives them the needed permissions for "write access" (i.e. modify, add, or delete files), they basically can do anything to the site they want.

Any form could potentially allow malicious code to be injected, but remember it's not the form. It's whatever program the data is sent to when the user clicks the Submit button.

Pages that don't contain forms can be vulnerable, too. I expect that ASP must have the same potential for "Remote File Inclusion" vulnerabilities that PHP has.

The basic rule is: ALL data provided by the user (including the HTTP request itself, such as in a query string) is potentially malicious, and your application must never use that untrusted data without first sanitizing/cleaning/scrubbing it (all of those being terms used for the process).

So, for example, your search function could indeed be vulnerable (assuming it's not a standard Google/Yahoo-provided Search This Site box). The user enters a search string. Depending on how your search script handles the string and performs the search, they could theoretically enter a search string that tricks the program into giving them access to your site.

You or your programmer should read carefully the article Ocean10000 linked to. If you don't understand it or the techniques it describes, the safest course would be to remove the forms from your pages, delete or rename the forms handler scripts that you're using, and read about SQL injection. Don't allow any user input until you fully understand the hazards and how to protect the site.

[edited by: SteveWh at 4:10 am (utc) on May 7, 2008]

Thanks Steve, I'll pass this on to the programmer.

Update: We feel we've been spinning our wheels try to clean up this site. We've dropped back and punted. We've got so much on the site that is not being used...there is too many files on the server to work through. *Does anyone know of software that will pull a site and it's linked contents? We are going to pull all the files that are linked and leave the rest behind...this will help us see only the pages we need to work on. (FYI: we also believe that the present host has not kept up with the updates on their server software and such.)
We stabilized the site. Now, we need to move the site to a new host. We are doing that this week. *Does anyone know of a web site security company we can consult?

I have used programs in the past if you type in the main url, it will follow and download anything that links from that. I just checked and couldnt find it on my system, but its around. I just got it off of google I remember and it was freeware.

Two programs you can use to crawl your own site are Wget and cURL.

Well, I purchased software my developer suggested which is "orfind".

Still looking for a security company to consult.

My site was hacked with sql injection. Does it affect the asp code or just the database?

>>Does it affect the asp code or just the database?

if you have been sql injected, then it only affects the database table fields that have been written to/overwritten, updated etc.

however of course if you are writing your pages dynamically with data drawn from the database of course your pages could easily be affected (this is the point for most hackers as well as trying to steal sensitive information)

OK...here we are an update: We can't seem to get to the next step because of our crappy host. We're putting out fires but meanwhile trying to move to another host.
We're trying to prevent hacks on our site. We've been down several times and the idea came up that we could prevent the SQL Injections by making an account for just the public-facing side of the site that has Read Only set for it. This is a Microsoft SQL 2000 server BTW.

Our hosting company configured such an account and it couldn't select tables (or so the error said) and after a day of checking things they said we needed to change our SELECT statements to specify the database and owner account directly in order to access this.

Example:

Old query string:

oRs.Source = "SELECT DISTINCT [slu].[state], [slu].[stateLong] FROM [tblStateLookup] [slu]...

New query string:

oRs.Source = "SELECT DISTINCT [slu].[state], [slu].[stateLong] FROM [dbdeckard].[acct567x].[tblStateLookup] [slu], ...

Question - is this really the easiest way to do this? We have HUNDREDS of lines of code that would have to be updated.

Any better ideas?

um bit odd - assuming the host has set up a new login and added that login name as a user for the database you are using all should be well.

Have you checked to see if the connection string specifies the new user name and database name correctly ?

Why don't you just escape the portions of your query that are using the dynamic input? Use a tool like GREP to scour your code for all the places that need it.

Then, the next step would be to get a developer who doesn't leave the site vulnerable to SQL injection.

Finally, why wouldn't you use stored procedures in ms sql? It will make your code far more maintainable and likely reduce a lot of redundant code.

As far as blaming the host for not keeping up on patches, no patch is going to stop the SQL injection. This was a result of the poorly written ASP code by your developer.

The problem slgdceo has is time - the easiest way is to change the table permissions for the user_name.

That gives a "breathing space" in which the stored procedures can be written , and , I suggest, called usng parameters not variables.

Note that the SQL injections I have seen are actually in binary...

Thanks Guys, I'm forwarding these over to my developer. I'll have some input for you later. Thanks again.