June 3, 2008 at 2:56 am
dear sir i am facing a problem in my website.
i am using asp classic in front end and for database i am using sql-server 2000 i have noticed one comman problem in my all websites that some one adds in all database tables. and my website goes down.
and such a link with script is shown at the status bar of the explorer.
can any one tell me is it a virus or sql injection related problem and how can i prevant it any usefull answer.
http://www.engelskirchen.de/ (infected site.)
June 3, 2008 at 3:25 am
Are you able to explain what the exact problem is?
I am reluctant to check out your (infected) site from work..
June 3, 2008 at 4:15 am
brother i in the site above it is automatically trying to navigate to some other url which i dont know.
second thing i suspect some one is injecting such a script in my data base can you tell me how many ways are there to stop sql injection....???
or any good sugession???
or can i trace using sql server who insert what in databse.??
June 3, 2008 at 4:40 am
You can avoid sql injection by avoiding the use of dynamic SQL.
Don't have lines in your code like
set strCmd = "Insert into myMainTable(MostImportantInfo) ('" + Request.QueryString("hackmenow") + ")"
conn.Execute()
Replace these with stored procedures and validation logic.
Also, as far as you going to a page and having it redirect you. Look for Response.redirect commands
June 3, 2008 at 4:44 am
There is a lot of information on this site and others about stopping sql injections do a bit of research, but basically;
-paramatize your queries.
-use stored procs.
-restrict access to stored procs
-remove all table access from your website
-create bare minimum privileges for your logins.
Immediately if I suspected an injection attack, I would change your admin passwords.
Setup a trace to check for any possible attacks.
June 3, 2008 at 6:11 am
thank you very much you all now could you please guide me how can i do
"remove all table access from your website"
June 3, 2008 at 6:28 am
It depends on how you have your system setup.
The way I do websites, and most applications, is to only allow the application acces to stored procedures which can add and update the data. I don't allow any access to the tables.
You can do this under the security tab for your database, either do it per user or create a schema.
Are you using stored procs to access your data?
Sorry i just realised that this is under the 2000 forum, i am not completly sure how to change the secruity for users in 2000, i am sure it is similar and shouldn't be too hard to find out in BOL.
June 3, 2008 at 6:42 am
no i m not using stored procedures :w00t: anyways thanks for you response my next question is i have read from a site that hacker can inject script from url and i have already restricted url injection but can he inject using hex code same equivalent to .
if it is then how can we restrict it?
June 3, 2008 at 6:52 am
Change your app so that it does use stored procedures and restrict table access. You can check for key words, but it's not a sure thing. There are ways to get around it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
June 3, 2008 at 7:00 am
I agree with Gail and strongly recomend using stored procedures, this way you can be sure what is getting added to your database.
There are numerous ways to inject sql, and using hex code is one of the most overlooked and difficult to stop, Stored procs will stop it though.
Depending on how much code you have this may take some time, but will be worth it for security.
June 4, 2008 at 2:28 am
Just a quick question -
Are you persisting data between pages in your site?
If yes how are you doing this?
--Shaun
Hiding under a desk from SSIS Implemenation Work :crazy:
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply