Forums

This topic is locked

Security and DMX

Posted 20 May 2003 14:34:27
1
has voted
20 May 2003 14:34:27 Phil Shevlin posted:
I've been reading about SQL Injection and as I see it DMX is ripe for this type of hacking.
<pre id=code><font face=courier size=2 id=code>
Dim rs__MMColParam
rs__MMColParam = "1"
If (Request.QueryString("ID" &lt;&gt; "" Then
rs__MMColParam = Request.QueryString("ID"
End If
...
rs.Source = "SELECT * FROM tablename WHERE ID = " + Replace(rs__MMColParam, "'", "''" + ""
...
</font id=code></pre id=code>

A hacker only needs to put
<b>foo; drop table tablename --</b>

into your form and bye bye tablename


<b>What methods do you use to secure your database? </b>

I am starting to use only views and stored procedures for views, inserts, updates and deletes.
Do you think this is enough? What about login/permissions. Any tips for DMX users?

Edited by - wdglide on 20 May 2003 14:35:03

Replies

Replied 20 May 2003 14:41:48
20 May 2003 14:41:48 Vince Baker replied:
If you are using sql 7 or 2000 then protecting this sort of attack should be simple by not allowing the modification of any table / view etc by the internet guest account.

How this would be covered using access for example, I am unsure.

Regards
Vince

Visit my home: www.chez-vince.com

VBScript | ASP | HTML | SQL | Oracle | Hosting
Replied 20 May 2003 14:54:17
20 May 2003 14:54:17 Phil Shevlin replied:
Good point!

However, what methods are you aware of that DMX users can use to handle sites that allow "guests" to upload, insert, etc. (i.e., ebay type)

...at the database level (and work relatively easy with DMX)

I'm thinking about logins and permissions and multiple connection options, i.e.:
if admin connect with this...
if registered user connect with this...
else connect with read only login
Replied 21 May 2003 11:22:57
21 May 2003 11:22:57 Allan Kent replied:
heya,

mysql allows you to create users with very specific permissions. so you could say that user 'internet' for example, on database 'dmxzone' only has select, insert and update privileges. you can go right the way down to table specific privileges - specifying individual fields.

I'm pretty sure there must be a way to do this in MS SQL, not sure about Access.

allan
Replied 21 May 2003 11:30:39
21 May 2003 11:30:39 Vince Baker replied:
The same levels of security are available on MS SQL 7 and SQL 2000.

Again, not sure about access.

Regards
Vince

Visit my home: www.chez-vince.com

VBScript | ASP | HTML | SQL | Oracle | Hosting
Replied 23 May 2003 11:03:11
23 May 2003 11:03:11 Julio Taylor replied:
I think as allankent said, the best solution is to create a browse user with the bare minumum permissions. Anyone who connects to a MySQL database using root attributes is running a serious risk- the question however is this:

many ISPs provide their clients with one login, often the same one the client needs to use through PHPMyAdmin to create and modify the database. They are expected to use that same login (presumably with full rights over that database) to connect via PHP... so in effect a large part of the blame in the SQL injection problem lies with the hosting companies who makle no effort whatsoever to protect their customers by giving them multiple levels of login for their databases.

I recommend anyone using host-based databases to insist that they are given lower-level alternative logins for use in run-time database access.

&lt;/rant&gt;

------------------------
Julio

PHP | MySQL | DWMX

ICQ: 19735247
MSN:
Replied 23 May 2003 12:44:33
23 May 2003 12:44:33 Phil Shevlin replied:
<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>
many ISPs provide their clients with one login<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>
This is exactly my point. I can't be the first person to raise this issue.

Thats why I was asking for other things people do to secure it - in case my &lt;rant&gt; doesn't work.

My only thought is to build the entire frontend so that it only uses stored procedures and views. However, very few extensions work with stored procedures.

Edited by - wdglide on 23 May 2003 12:48:12
Replied 23 May 2003 14:51:13
23 May 2003 14:51:13 Owen Eastwick replied:
In VBScript you can use the replace command to get rid of any problem words from the URL paramater, something like:

&lt;%
varString = Request.QueryString("Whatever"
varBadWords = ("INSERT,UPDATE,DELETE,DROP,ALTER,WHERE,INTO"
varBadWordArray = Split("varBadWords", ","
For i = 0 to Ubound(varBadWordArray)
varString = Replace(varString, varBadWordArray(i), ""
Next
%&gt;

If you are allowing the user to enter fre text from a text area or a text field this shouldn't be a problem if your SQL command is something like this:

Command.Source = "INSERT INTO TableName(TextField, NumericField) VALUES('" & varText & "', " & varNumber & ""

Because any SQL held withing varText will be treated as Text and not executed.

Regards

Owen.

-------------------------------------------------------------------------------------------
Used programming books and web development software for sale (UK only): www.tdsf.co.uk/tdsfdemo/Shop.htm

Developer services and tutorials: www.drdev.net

Multiple Parameter UD4 / Access 2000 Search Tutorial: www.tdsf.co.uk/tdsfdemo/
Replied 24 May 2003 01:34:47
24 May 2003 01:34:47 Phil Shevlin replied:
Thanks

However, for those of us that use extensions, such as smart image processor, when you alter the default update record server behavior it ruins any chance of using these add-ons.

I'm really liking the idea of using stored procs.

Reply to this topic