Re: empty values in INSERT INTO statement

Mark J. McGinty wrote:
> Bob, I'm not trying to be overly negative, I know you post to these
> news groups regularly and make a substantial contribution... But I
> felt I needed to add something, and hope you won't take it badly.

Not at all. You've given me a chance to clarify what I posted.

>
> "Bob Barrows [MVP]" <reb01501@xxxxxxxxxxxxxxx> wrote in message
> news:Oyn%23Dx$RFHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
>
> [snip]
>> 'Regardless of which option you are using start by validating inputs
>>
>> for each key in Request.Form
>> s=lcase(request.form(key))
>> 'The following should be down with regexp. This is a demo
>> if instr(s,"select")>0 OR instr(s,"insert")>0 OR
>> instr(s,"update")>0 _ OR instr(s,"delete")>0 THEN
>> 'punish the hacker
> [snip]
>
> If you're using parameters what's the point?

The point is that if you don't make it difficult for a hacker, he will
continue attempting different exploits until he finally finds your site's
vulnerability. If the only consequence of his bad behavior is a simple "not
authorized" message, he will realize that sql injection is not going to work
and start trying other exploits until he finds te one that works. However,
if the consequence of each of his attempts is a page that takes 5 min. to
load, (or better yet, a page that simply launches itself in new windows,
forcing him to kill the process with task manager) how many attempts do you
think he will make before he moves on to greener pastures?

> Text inside a parameter
> will not be executed as SQL, ever, plus those words could occur in
> valid input, e.g., [Product Name] = 'Select Beef'.

It was just a suggestion. These were obviously fields that contained the
names of people, making it unlikely that they would contain SQL keywords. Of
course, if the text could contain these words, you would use some other
scheme.

> What's more,
> those InStr calls are case-sensitive without some more [optional]
> arguments, while SQL is not, so any variation of case would thwart
> this check.

.... which is why I used the lcase function ... :-)

>
> What's even more, even without parameterizing those values, a SQL
> injection would depend on at least some punctuation, such as a
> semi-colon or double-dash (neither of which may work in Jet, don't
> know, don't care, that's beside the point.)

Not really. A union statement needs no punctuation.

However, that's not the point. The thing is, the hacker probably does not
know what backend you are using. He is likely a script kiddie running a
script that successfully broke into other sites. He is not likely to be
tailoring his attack to the backend database you are using.

>
> I'm not saying that input validation when using parameterized SQL is
> unnecessary, but such needs are app-specific. Searching parameterized
> values for possible SQL injection is pointless.

Agreed. When this is the only defense, it is certainly pointless.

I recently attended a presentation by Patrick Hynds and Duane LaFlotte, who
based their presentaion on a new book they are working on called "Hacker vs.
Hacker" (a takeoff on the Mad "Spy vs. Spy" series). One of their keys was
"punish obviously bad behavior". Not taunt: punish. To reiterate: the key
word is "obvious". The entry of a SQL keyword into a name field is obvious
bad behavior that needs to be punished.

Another key was "multi-layered defense". Look for the book when it comes
out. I plan to.


Bob Barrows

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


.

Relevant Pages

  • Re: empty values in INSERT INTO statement
    ... case-sensitive without some more arguments, while SQL is not, so ... What's even more, even without parameterizing those values, a SQL injection ... Bottom line, any time you're thinking "punish the hacker," you're treading ...
    (microsoft.public.inetserver.asp.db)
  • Help me stop the hacker...
    ... 1.- Possible hacker entrance thru MSSQL using brute force ... 3.- My server is behind a FW, still MSSQL ports 1433 is open. ... 0.- Logged on to MS SQL. ... 3.- Process 3120 exits. ...
    (microsoft.public.win2000.security)
  • Help me stop the hacker...
    ... 1.- Possible hacker entrance thru MSSQL using brute force ... 3.- My server is behind a FW, still MSSQL ports 1433 is open. ... 0.- Logged on to MS SQL. ... 3.- Process 3120 exits. ...
    (microsoft.public.sqlserver.security)
  • Re: how to code to avoid SQL insertion attacks
    ... ideal code you have to offset it against the risk. ... > since he did not specify the risk. ... But a hacker does not write the SQL - the programmer does. ...
    (comp.lang.java.programmer)
  • Re: Fraud Number Null:
    ... SQL Logical Table are multidimensional ... I used premise and axiom synonymously as a statement ... If Bob is credible and wrong, ... BB has no credibility ...
    (comp.databases.theory)