PDA

Click to See Complete Forum and Search --> : Cross-Site Scripting Question

goematix
07-23-2008, 08:12 PM
Hi, I'm having a problem preventing a SQL injection attack. It appears to be targeting these stored procedures. Does anyone know how can secure these stored procedures. It is SQL 2000. Thanks.

CREATE Procedure proc_listAdminListDiscs
@accID int
As
SELECT adc_id,
adc_discount,
adc_descr,
dt_descr AS d_descr
FROM tbl_tmp_accomDiscounts INNER JOIN tbl_discount_types ON tbl_tmp_accomDiscounts.adc_discount=tbl_discount_types.dt_id
WHERE adc_accom=@accID
ORDER BY adc_rank ASC


GO


_ _ _ _ _ _ _ _ _ _

CREATE Procedure proc_listAdminListDiscTypes
@accID int
As
SELECT dt_id AS d_id,
dt_descr AS d_descr
FROM tbl_discount_types d
WHERE NOT EXISTS (SELECT adc_id FROM tbl_tmp_accomDiscounts tad WHERE tad.adc_discount=d.dt_id AND tad.adc_accom=@accID)

GO

_ _ _ _ __ _ _ _ _

CREATE Procedure proc_addAdminListDiscount
@accID int,
@discountID int,
@details varChar(255)
As

DECLARE @rank int
SELECT @rank = MAX(adc_rank) FROM tbl_tmp_accomDiscounts WHERE adc_accom = @accID

IF @rank IS NULL
SELECT @rank = 0

SELECT @rank = @rank + 1

INSERT INTO tbl_tmp_accomDiscounts (adc_accom, adc_discount, adc_descr, adc_rank)
VALUES (@accID, @discountID, @details, @rank)


GO

_ _ _ _ _ _ _ _ _
Phil Weber
07-23-2008, 08:39 PM
Those stored procedures do not appear to be vulnerable to SQL injection attacks. Why do you believe they are the target of such an attack?
goematix
07-23-2008, 08:47 PM
To be honest i'm not sure what is causing the attack, it may be coming from the code. Here are some snippets of the likely candidates

set rs = cn.execute("proc_addAdminListDiscount " & accID & ", " & newID & ", '" & newDetails & "'")
set rs = cn.execute("proc_listAdminListDiscTypes " & accID)
set rs = cn.execute("proc_deleteAdminListDiscount " & itemID)

Thanks.
Phil Weber
07-24-2008, 12:21 AM
Do you understand what SQL injection is? It means a user is able to pass input to your program which the database interprets as executable code. You're using stored procedures, not using string concatenation to create SQL queries in code. And all your procedures accept parameters, so I don't see how it's possible for the database to treat user input as executable code.
goematix
07-24-2008, 12:37 AM
Maybe I'm using the wrong terminology. Somehow a url is being appended to text in SQL field. So for example, if the field value is 'This is my text' it ends up as 'This is my text http://www.someurl.com/abc.js '. This text appears on a web page, it then downloads the virus to the users computer. I'm not certain how it is doing this.
Phil Weber
07-24-2008, 07:19 PM
OK, that's cross-site scripting, not SQL injection. You need to filter user input and/or encode HTML output. See this page for more information: http://msdn.microsoft.com/en-us/library/ms998274.aspx