I'm trying to secure a older classic asp web site (that has about 1,000 (.asp) pages) using MS SQL 2008 R2 (Express Edition).
I found a code (see below) on how to Parameterized Queries and the code looks to be the easiest for me to understand and use on all of the pages that need to be changed.
If I was to convert all of the ms sql queries (that will look something like the code below) will that be enough to protect against an ms sql injection attack ? or is there more that I will need to add/change ?
set objCommand = Server.CreateObject("ADODB.Command")
strSql = "SELECT * FROM users WHERE username=? AND password=?"
...
cmd1.Parameters(0) = Request.Form("login")
cmd1.Parameters(1) = Request.Form("password")
...
Its been a while since I've seen the old Adodb command syntax, but I think you would want something like:
set objCommand = Server.CreateObject("ADODB.Command")
strSql = "Select * From users where username=@username and password=@password"
objCommand.Parameters.Append.CreateParameter
("@username", adVarChar, adParamInput, 50, Request.Form("login"))
objCommand.Parameters.Append.CreateParameter
("@password", adVarChar, adParamInput, 50, Request.Form("password"))
As always, don't create dynamic sql statements without a type safe parameter encoding, I think even old school ADO provides this via CreateParameter.