dobberteen (6/18/2008)
we've been getting hammered by the version of the attack that inserts the javascript mentioned above, thanks to a complete lack of input validation and total reliance on the:
rs.Source = "SELECT * FROM Orders WHERE OrderID = '" & Request.QueryString("OrderID") & "'"
style of coding.
Our solution, though very weak IMO, has been to issue:
DENY SELECT ON syscolumns TO [username]
DENY SELECT ON sysobjects TO [username]
Dobberteen, there are two solutions. First (best) is using a parameter.
rs.Source = "SELECT * FROM Orders WHERE OrderID = @OrderID"
The problem is that using parameter in old .asp ado vb code is a bit of a pain.
Second (quickest) solutions are: if your OrderID is an int, just use something like
rs.Source = "SELECT * FROM Orders WHERE OrderID = '" & CInt(Request.QueryString("OrderID")) & "'"
If your IDs are strings, use something like
rs.Source = "SELECT * FROM Orders WHERE OrderID = '" & Left(Request.QueryString("OrderID"), myFieldLength) & "'"