This is a follow-up to the April 17th, 2008 post which dealt with a client's legacy web site being hacked with a SQL injection attack.
I was relating the story to another web developer (we'll call him Fred) and he mentioned that he also worked with legacy sites that use SQL, but they use stored procedures. Since the old ASP sites used stored procedures not all the code checks user input data.
Right away my antenna was raise. "Do you use parameters with your procedures?" I asked "Or do you just create a string with the procedure and the parameters in single quotes?" Ex: "sp_getUserInfo 'ablevy' " All the sudden I saw a look of doubt on Fred's face.
To make a long story short - I heard from him the other day and he had checked his client's site. Sure enough there where some web pages that used stored procedures that way and his site could suffer from a SQL injection attack. Luckily the site was never attacked and the code has been updated.
Twelve bloggers blogging about SES London 2010
41 minutes ago
0 comments:
Post a Comment