SQL Injection
SSRS 2008 R2
I am trying to prevent reports I write from being vulneralbe to SQL injection attacks. To that end I wrote a very simple report and attempted to do attack it.
My Query:
select 'Test' as Test
where
1 = 2
and 'test' = @test
I have a table that displays the column test on my report.
From my understanding if I set @test = '' or 1=1 then I should get back a record. However It allways comes back blank. What am I doing wrong?
August 15th, 2012 1:47pm
First, sql generally uses single quotes as string delimiter.
Second, I do think parameters are safe for sql injection if you use them directly in a query with @paramName. (Not 100% sure)
You will be vulknerable if you generate dynamic SQL in a stored procedure using directly the value of a param.
Like in that case, if you have a stored procedure doing something like
SET @sql = ' Select * from Table where name = ''' + @param + ''' '
If param contains single quotes, it will make you query have a syntax error. If you add some sql after the ', it will be executed if you don't do any syntax errors.
edit :
And to stop the vulnerability in dynamic, you must replace all single quotes in your parameters for 2 single quotes.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2012 2:15pm
Thanks Alex,
I actually had two single quotes in my example not a double quote.
Are you saying that to the best of your knowledge the query I provided is safe from an attack?
August 15th, 2012 2:22pm
I think so. But you could to change your query to make sure it is not interpreted as
select 'Test' as Test
where
1 = 2
and ('test' = '' or 1=1)
You could write it like
select 'Test' as Test
where
'test' = @test
Which would be interpreted as
select 'Test' as Test
where
'test' = '' or 1=1
if it is weak to sql injection!
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2012 2:32pm