Classic ASP SQL Injection Protection

Daniel A. White picture Daniel A. White · Sep 29, 2008 · Viewed 50.7k times · Source

What is a strong way to protect against sql injection for a classic asp app?

FYI I am using it with an access DB. (I didnt write the app)

Answer

Cade Roux picture Cade Roux · Sep 29, 2008

Stored Procedures and/or prepared statements:

https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks

Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

Catching SQL Injection and other Malicious Web Requests

With Access DB, you can still do it, but if you're already worried about SQL Injection, I think you need to get off Access anyway.

Here's a link to the technique in Access:

http://www.asp101.com/samples/storedqueries.asp

Note that what typically protects from injection is not the stored procedure itself, but that fact that it is parameterized and not dynamic. Remember that even SPs which build dynamic code can be vulnerable to injection if they use parameters in certain ways to build the dynamic code. Overall, I prefer SPs because they form an interface layer which the applications get to the database, so the apps aren't even allowed to execute arbitrary code in the first place.

In addition, the execution point of the stored procedure can be vulnerable if you don't use command and parameters, e.g. this is still vulnerable because it's dynamically built and can be an injection target:

Conn.Execute("EXEC usp_ImOnlySafeIfYouCallMeRight '" + param1 + "', '" + param2 + "'") ;

Remember that your database needs to defend its own perimeter, and if various logins have rights to INSERT/UPDATE/DELETE in tables, any code in those applications (or compromised applications) can be a potential problem. If the logins only have rights to execute stored procedures, this forms a funnel through which you can much more easily ensure correct behavior. (Similar to OO concepts where objects are responsible for their interfaces and don't expose all their inner workings.)