Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Feb 2006
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    PCI Check help please

    We recently ran a PCI check on our website to see if it was totally secure.

    In the report, it was noted that we have got 6 security holes.

    The error we are getting is:

    The following CGI script seem to be vulnerable to various SQL injection techniques.

    This error was being shown for a value from a html form called 'what', which would always have a value of '1'.

    In order to try and solve the problem, i have changed the value of what from '1' to Clng(1) which i believe should only allow numbers, therefore not allowing SQL injection to be done, however the problem is still arising.

    I wondered if anyone could help with this.

    Thanks

  • #2
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts
    You haven't provided any code or even mentioned what language it's written in.
    Are you a Help Vampire?

  • #3
    New Coder
    Join Date
    Feb 2006
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Code:
      response.write("<tr><td colspan='2'><input type='hidden' name='what' value='"&Server.HTMLEncode(Clng(1))&"'>" &vbcrlf)
    It is that 'what' value that is causing the problem when it is submitted as it says it can insert sql injection but I dont know how it can.

    The page is coded in asp.

  • #4
    New Coder
    Join Date
    Feb 2010
    Posts
    29
    Thanks
    0
    Thanked 3 Times in 3 Posts
    The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?

  • #5
    New Coder
    Join Date
    Feb 2006
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ffmast View Post
    The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?
    The form action is the same page that the form is currently on. It loads that page, and if the parameter "what" = 1 then it will run our form validation.

    The default value is 1, so it will always load the page and do form validation when the form is submitted

  • #6
    New Coder
    Join Date
    Feb 2010
    Posts
    29
    Thanks
    0
    Thanked 3 Times in 3 Posts
    I think the "what" is pretty safe then.
    It is only an internal state machine, as long as you don't send it into SQL query, it can't be an injection.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •