SQL Injection security?

Discussion in 'Server Security' started by JVRudnick, Apr 2, 2010.

  1. JVRudnick

    JVRudnick Guest

    Hello all...
    sorry if this is the 'wrong' forum....pls point me to the right one if this
    is out of line here....

    my small highschool community site has an SQL injection vulnerablilty. it is
    written in VBScript and ASP...and uses an mySQL dbase too. the sitew was
    hacked by someone using this vulnerability and I'm trying to learn how to fix
    same...

    I found Scrawlr from HP, and a testing of same has found that one page only
    - showmessage.asp has a Parameter of "bid" and Info says it's "confirmed
    verbose".

    My problem is that even after quite a google for same, I can not find out
    what that means -- nor how to fix it either.

    Can someone point me to the way to learn what to do?

    Jim
     
    JVRudnick, Apr 2, 2010
    #1
    1. Advertisements

  2. JVRudnick

    Wilson, Phil Guest

    Wilson, Phil, Apr 2, 2010
    #2
    1. Advertisements

  3. JVRudnick

    JVRudnick Guest

    Hmm...
    first of all, thanks Phil for those links...and I'm busy reading same...but
    so far, this has posed a new question on sql injections....which is as
    follows.

    this site has an Admin area, with a login page for same using a
    name/password combination, that ONLY I have (least far as I know)

    IMHO, it was here that the hacker gained access, via the sql injection. so
    as a "temporary" fix, I've taken down off the server the whole Admin area --
    and will upload first via FTP before logging in myownself, to do any Admin
    tasks (thank god there are so very few, like 2 a month).

    that will I monitor in the near future to see what happens...

    but that also poses this question. as this is the ONLY place that a hacker
    could gain access to change in the dbase ALL of the forum titles themselves,
    this "proves" that this "must" be the way they got in...do I have that right?

    in other words, I can think of no other way for a hacker to gain access to
    the Admin area to make that kind of an overall change to about 9 forum titles
    (to read "this site is hacked" ....sigh)....

    can you comment on that? am I correct here?

    -- and now back to try to learn how to prevent an sql injection with a login
    asp page....sigh...

    :)

    Jim
     
    JVRudnick, Apr 6, 2010
    #3
  4. JVRudnick

    Wilson, Phil Guest

    Wilson, Phil, Apr 6, 2010
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.