...

View Full Version : PCI Check help please



ajwposh
03-12-2010, 02:46 PM
We recently ran a PCI check on our website to see if it was totally secure.

In the report, it was noted that we have got 6 security holes.

The error we are getting is:

The following CGI script seem to be vulnerable to various SQL injection techniques.

This error was being shown for a value from a html form called 'what', which would always have a value of '1'.

In order to try and solve the problem, i have changed the value of what from '1' to Clng(1) which i believe should only allow numbers, therefore not allowing SQL injection to be done, however the problem is still arising.

I wondered if anyone could help with this.

Thanks

tomws
03-12-2010, 03:50 PM
You haven't provided any code or even mentioned what language it's written in.

ajwposh
03-12-2010, 04:09 PM
response.write("<tr><td colspan='2'><input type='hidden' name='what' value='"&Server.HTMLEncode(Clng(1))&"'>" &vbcrlf)

It is that 'what' value that is causing the problem when it is submitted as it says it can insert sql injection but I dont know how it can.

The page is coded in asp.

ffmast
03-15-2010, 08:44 AM
The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?

ajwposh
03-15-2010, 11:13 AM
The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?
The form action is the same page that the form is currently on. It loads that page, and if the parameter "what" = 1 then it will run our form validation.

The default value is 1, so it will always load the page and do form validation when the form is submitted

ffmast
03-15-2010, 01:06 PM
I think the "what" is pretty safe then.
It is only an internal state machine, as long as you don't send it into SQL query, it can't be an injection.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum