WhiteSites Blog

protecting against SQL injection attacks using querystring

Posted on Aug 15, 2008 by Paul White

If you run any kind of database driven website always make sure you sanitize your variables.  Else the bots will get you.  One of my buddies recently got his site hacked this way.  I also noticed an increase using this same technique.

They are trying to slip SQL code into the querystring.
Like so

CAST(0x44454...whole bunch of HEX characters.....6F72+AS+CHAR(4000))%3bExEC(%40S)%3b

Of course if you already have some code that checks for such attacks then immediately blacklists them, then you have no worries.
Else you might want add some code to your global.asax, or even make an HTTP module that will check your requests before processing them.

A few simple things to check for that should catch most attacks
Intances of  ' in Querystring
Instances of declare in querystring
instances of -- in querystring
instances of cast( in querystring
instances of exec( in querystring
instances of ; in querystring

Take the querystring and convert it to lowercase.
Then search for each of these.
If you find one, block the request and blacklist the IP.

Since normally Developers will pass Database IDs in the form of an Int or BigInt you can always just do a check to make sure all the values being passed in your querystring are numeric.  But in recent years as it has gotten popular to use URL rewriting to get more SEO out of your website, this check for numeric rule won't work.  So in this case you might want to search your querystring for list of valid characters (0-9 A-Z).  If one of the characters is not found in the list, then block them.

Just for reference here is the list of IPs that have attempted to use this technique on one of my websites

List Updated 8/23/2008

They now enjoy a little kick over to google whenever they visit my website

5491 Visitors

Categories associated with protecting against SQL injection attacks using querystring


No Comments have been submitted
Email Needed to confirm comment, but not made public.
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article