Wednesday, April 29, 2009

Security Vulnerability

Can you see the security vulnerability in the following snippet of code?

    string returnValue = String.Empty;
    string sql =
        "select description from products where prodID = '"
        + Request.Params["pid"] + "';";
    SqlCommand sqlcmd = new SqlCommand(sql);
    sqlcmd.Connection = sqlConn;
    SqlDataReader sdr = cmd.ExecuteReader();
    if (sdr.Read())
    {
        returnValue = (string)sdr[0];
    }
    sdr.Close();
    return returnValue;

5 comments:

  1. I'd shoot anyone who deployed code like that!

    ReplyDelete
  2. I would stand still while being shot if I produced code like that...

    ReplyDelete
  3. Someone is obviously unfamiliar with the using operator.
    Assuming your question wasn't rhetorical, yes. It's a textbook example of a SQL injection vulnerability.

    ReplyDelete
  4. friendster graphicsMay 7, 2009 at 12:07 AM

    0h i feel lucky can find this good article..
    now i find something that i want to know, thank you..

    ReplyDelete
  5. i would send a request with pid :
    nothing' union select 'dead man' as description; DROP TABLE products; --

    ReplyDelete