PDA

View Full Version : PCI Check help please



ajwposh
03-12-2010, 01:46 PM
We recently ran a PCI check on our website to see if it was totally secure.

In the report, it was noted that we have got 6 security holes.

The error we are getting is:

The following CGI script seem to be vulnerable to various SQL injection techniques.

This error was being shown for a value from a html form called 'what', which would always have a value of '1'.

In order to try and solve the problem, i have changed the value of what from '1' to Clng(1) which i believe should only allow numbers, therefore not allowing SQL injection to be done, however the problem is still arising.

I wondered if anyone could help with this.

Thanks

tomws
03-12-2010, 02:50 PM
You haven't provided any code or even mentioned what language it's written in.

ajwposh
03-12-2010, 03:09 PM
response.write("<tr><td colspan='2'><input type='hidden' name='what' value='"&Server.HTMLEncode(Clng(1))&"'>" &vbcrlf)

It is that 'what' value that is causing the problem when it is submitted as it says it can insert sql injection but I dont know how it can.

The page is coded in asp.

ffmast
03-15-2010, 07:44 AM
The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?

ajwposh
03-15-2010, 10:13 AM
The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?
The form action is the same page that the form is currently on. It loads that page, and if the parameter "what" = 1 then it will run our form validation.

The default value is 1, so it will always load the page and do form validation when the form is submitted

ffmast
03-15-2010, 12:06 PM
I think the "what" is pretty safe then.
It is only an internal state machine, as long as you don't send it into SQL query, it can't be an injection.