Clarification on IIS reported sql-injection exploits

4 thoughts on “Clarification on IIS reported sql-injection exploits”

1. Thanks Steve! This is really useful information. I was beginning to get worried that this massive SQL Injection attack was not a wake up call for developers because I was not finding much discussion about it in the blogs and nobody was providing any resources or tips.

   LikeLike

   Reply

2. My pleasure. The sql injection is bad coding and Classic ASP was a quick and dirty way of coding. MS has posted some sample error coding people should look at.

   LikeLike

   Reply

3. This worked great for me to help figure out the sql injection attack that I have been getting everyday now for a week. I fixed it by making sure there was no “;” or “cast” inside of the variable that is passed in. But is there a way to universally protect again this form of attack, without me having to change hundreds of SQL statements?

   LikeLike

   Reply

4. Hi Cnaught,

   I’m glad this was helpful. About changing hundreds of sql statements. The best advice I can offer is have your sql statements and parameters in code check for bad statements before being submitted to your database. If you are still unsure, I would check on http://aspadvice.com/lists about techniques to prevent this, I’m not a seasoned enough coder to have to change an application being exploited like this.

   Good luck,
   Steve

   LikeLike

   Reply

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out /  Change )

You are commenting using your Twitter account. ( Log Out /  Change )

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Notify me of new comments via email.

Notify me of new posts via email.

Δ