 |
|
SQL Server Tips by Burleson |
Web application script injection
If the input of a web application is displayed directly in the
screen, it is possible to add code to it and execute it.
Example: A web application that gets a user name and displays a
welcome message with that name.
The usual ASP and PHP versions, named “welcome.asp” and “welcome.php”,
respectively.
welcome.asp
<html>
<head><title>Welcome!</title>
</head>
<body>
<center><h3>What is your name?</h3></center>
<br>
<form action="welcome.asp" method="post">
Name: <input type="text" name="VisitorName" size="20">
<input type="submit" value="Submit">
</form>
<br>
<%
Dim StrName
StrName=Request.Form("VisitorName")'get input
if StrName<>"" then
Response.Write("Welcome " & StrName & "!")'write name on page
end if
%>
</body>
</html>
welcome.php
<html>
<head><title>Welcome!</title>
</head>
<body>
<center><h3>What is your name?</h3></center>
<br>
<form action="welcome.php" method="post">
Name: <input type="text" name="VisitorName" size="20">
<input type="submit" value="Submit">
</form>
<br>
<?
if (!isset($_REQUEST['VisitorName'])) //get input
$StrName='';
else
$StrName=$_REQUEST['VisitorName'];
if ($StrName!='')
echo ('Welcome '.$StrName.'!');//write on page
?>
</body>
</html>
The following code will be executed when submitted:
<SCRIPT>alert(document.cookie);</SCRIPT>
The above book excerpt is from:
Super SQL
Server Systems
Turbocharge Database Performance with C++ External Procedures
ISBN:
0-9761573-2-2
Joseph Gama, P. J. Naughter
http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm |
