emacs grep, classic asp, and sql injection

I’ve been toying around with this project in classic asp for someone on rentacoder
unfortunately as asp code goes this is the standard issude with sql strings being concatenated from user input and then directly ran be sql.

hence the site is incessantly hacked to death as there hundreds of entry points for a hacker.

my first solution was to recreate the sql strings as stored procedures, but when i counted the numbers of sql calls i could see it was well beyond my time frame.

instead the idea would be to keep sql string but implement parameters for the command object.

an example of this is here.


so how did i find all those instances of flaky sql?

basically with emacs, i did a Meta-X and typed grep RETURN

then for the grep command i used:

<pre>grep -nH -e db_connection_include_code * */* */*/*</pre>

what this does is search all the files in the current directory level (*), and any file within any directory (*/*), and a third time for good measure (*/*/*)

that then gave me 450+ files to amend, ouch. I think this would need a script to process all those changes.

Maybe this website needs a rewrite as the work is quite heavy.

Up to now the solution is to fix this request checked so that it doesn’t show false negatives.

then sql parameter should be used as per this post.


Finally My work is here to see

Back in September I was hired by JobsGroup.net to help out with the web design (yes, photoshop) and some backend coding of their new jobs portal system. Finally after some backend problems and two months later the fruits of my labour are for all to show.

I’m a little perplexed tho as to some of the bugs that I had noticed on the last day of my contract still being there two months after, but in general I am quite proud of my work.

Most notably what I am quite proud of in the backend would be finding out how to use RaiseBubbleEvent, delegates, and asp.net events.

I have since made leaps and bounds with services and ajax, my preference is jQuery and sometimes little “homebrew” mashups work a treat to expand ones knowledge.

Now back to just site, you will see things such as the jobsbasket, mysavedsearch, vacancyview screens, mailme and mail a friend popups. I have contributed to those, not entirely sure whether they are still mine but they were in good condition when i left them :)

What I am most happy about is being able to say that I have had full development lifecycle experience.

And what I am not to happy about is the current economic climate which made my stay only last the duration of my contract. JobGroup.net is a great company to work with/for/etc..