Is this SQL injection? And, if so, is it a problem?

Forum Moderators: open

Message Too Old, No Replies

Is this SQL injection? And, if so, is it a problem?

dickbaker

3:55 pm on Nov 7, 2008 (gmt 0)

On my site some of my advertisers are also my competitors to some extent. While researching backlinks to one of my competitors on Yahoo, I found a link from my site with additional variables in the URL.

Normally the URL would be http://www.example.com/advertiserbytown.asp?ID=123 or http://www.example.com/somestateresults.asp?area=somewhere&ID=123. The URL I found was http://www.example.com/advertiserbytown.asp?ID=123&h=189&w=250&sz=18&hl=en&start=3

I can't find the site that has that extended link.

My question is: does this constitute SQL injection, and should I be concerned?

eelixduppy

4:39 pm on Nov 7, 2008 (gmt 0)

>> does this constitute SQL injection

Not really. It seems that these are coming from somewhere else, not sure from where, though. It doesn't appear to be malicious, though.

aspdaddy

2:10 pm on Nov 8, 2008 (gmt 0)

>hl=en&start=3

Looks like a google cache

SteveWh

2:07 pm on Nov 9, 2008 (gmt 0)

That's not SQL injection. However, since you are using ASP, it would be a good idea to study up on what SQL injection is. An SQL injection attack called "Asprox" has hit many ASP sites.

In your code, your page expects a numeric value for ID, as in ...?ID=123. Be sure to code your page so it checks to make sure the incoming value of ID IS numeric. If it's not numeric, do nothing, or send an error page, but do not use the invalid value to construct a database query.