emacs grep, classic asp, and sql injection

I’ve been toying around with this project in classic asp for someone on rentacoder
unfortunately as asp code goes this is the standard issude with sql strings being concatenated from user input and then directly ran be sql.

hence the site is incessantly hacked to death as there hundreds of entry points for a hacker.

my first solution was to recreate the sql strings as stored procedures, but when i counted the numbers of sql calls i could see it was well beyond my time frame.

instead the idea would be to keep sql string but implement parameters for the command object.

an example of this is here.

http://kb.adobe.com/selfservice/viewContent.do?externalId=57ae79b2

so how did i find all those instances of flaky sql?

basically with emacs, i did a Meta-X and typed grep RETURN

then for the grep command i used:

<pre>grep -nH -e db_connection_include_code * */* */*/*</pre>

what this does is search all the files in the current directory level (*), and any file within any directory (*/*), and a third time for good measure (*/*/*)

that then gave me 450+ files to amend, ouch. I think this would need a script to process all those changes.

Maybe this website needs a rewrite as the work is quite heavy.

Up to now the solution is to fix this request checked so that it doesn’t show false negatives.

then sql parameter should be used as per this post.

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Comments are closed.