SQL Injection Vulnerability Pattern

From Guidance Share
Revision as of 06:27, 11 December 2007 by JD (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search

Context

You have an application that accesses a database.


Problem

How to discover vulnerable data access code that could lead to unauthorized code execution in the database.


Forces

  • Lack of type safe SQL parameters.
  • Construction of SQL statements from untrusted input.
  • Missing or weak input validation.


Solution

  • Dynamic SQL concatenating unvalidated input
SqlDataAdapter myCommand = new SqlDataAdapter(
         "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + 
         SSN.Text + "'", myConnection);
  • Stored procedure concatenating unvalidated input
SqlDataAdapter myCommand = new SqlDataAdapter(
                               "LoginStoredProcedure '" + 
                                SSN.Text + "'", myConnection);
  • Validating input against a predefined list of bad SQL strings
private bool isUnSafe(string inputSQL, string [] badSQLStrings)
{
  foreach (string badStr in badSQLStrings)
  {
    if (inputSQL.Contains(badStr))
       return true;
  }
  return false;
}
Retrieved from "http://guidanceshare.com/index.php?title=SQL_Injection_Vulnerability_Pattern&oldid=4843"