How can SQL injection attacks compromise ADODB Connections?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jerry Winston
    Recognized Expert New Member
    • Jun 2008
    • 145
    #1

    How can SQL injection attacks compromise ADODB Connections?

    We all know SQL injection attacks can easily get break SQL command strings concatenated with unsanitized user input fields:

    Code:
    set commandObj = Server.CreateObject("ADODB.Connection")
set rs = Server.CreateObject("ADODB.Recordset")

commandObj.ConnectionString = myGenericConnectionString
commandObj.Open

sqlCMD ="INSERT INTO myTable (item,cost) VALUES ('" & request.Form.Item("txtMyHTML_Field1") & "' ,  " & request.Form.Item("txtMyHTML_Field2") & " ;"

rs = commandObj.execute(sqlCMD )
    But I want to know is it possible to use an SQL injection attack against a statement like this:

    Code:
    set commandObj = Server.CreateObject("ADODB.Connection")
set rs = Server.CreateObject("ADODB.Recordset")

commandObj.ConnectionString = myGenericConnectionString
commandObj.Open

rs.Open "[myTable]",commandObj,2,2

rs.AddNew
rs.Fields("item") = request.Form.Item("txtMyHTML_Field1")
rs.Fields("cost") = request.Form.Item("txtMyHTML_Field2")
rs.update

    My theory is that the above statement is not vulnerable to injection, regardless of the input field value, because the values are stored directly to the field without using dangerous risky string concatenation.

    Am I right?
    Tags: None
    • DrBunchman
      Recognized Expert Contributor
      • Jan 2008
      • 979
      #2
      I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

      You could still validate your input against attacks to be safe though.

      Jared, got any thoughts on this?

      Dr B

        Comment

        • jhardman
          Recognized Expert Specialist
          • Jan 2007
          • 3405
          #3
          Originally posted by DrBunchman
          I don't know this for certain but because the method above is assigning values to specific data types rather than passing SQL to the database I would have thought that it would protect your db from sql injections.

          You could still validate your input against attacks to be safe though.

          Jared, got any thoughts on this?

          Dr B
          This is the method I generally use, I think it's easier to keep track of what you are doing, I think it keeps the code cleaner, and I think it probably is safer. I can't think of any injection here that wouldn't just return an error.

          On the other hand, it would probably still be a good idea to sanitize a little bit. We don't want anyone slipping a "drop table" past us, right?

          Jared

            Comment

            Previous template Next
            Working...