Source Code Analyzer for SQL Injection Does not find any Vulnerabilities RRS feed

  • Question

  • Hello, an external audit was conducted on our web applications and certain pages were identified as having SQL injection vulnerabilities.  I ran the Source Code Analyzer tool to find the specific lines of code containing the security weakness, but the analyzer does not raise any warnings.  I have pasted some example code below (simplified for illustrative purposes).  Is this code not vulnerable to SQL injection attack?



    Sub ProduceReport()


    Dim intRowCount

    intRowCount = 0


    Dim strFormEmpNum

    strFormEmpNum = Request.QueryString("txtEmp")


    ' Database Call

    Set mobjRS = Server.CreateObject("ADODB.Recordset")

    mobjRS.CursorLocation = adUseClient

    mstrProc = "Exec GetEmployeeReport '" & strFormEmpNum & "'"

    mobjRS.Open mstrProc, mstrConnect, adOpenStatic, adLockReadOnly, adCmdText

    Set mobjRS.ActiveConnection = Nothing


    'Process result set

     If (Not mobjRS.BOF) Then

    Do Until mobjRS.EOF

    intRowCount = intRowCount + 1

    If (intRowCount = 1) Then

    Call FormatRptHdr()

    End If

    Call FormatRptLine()



    End If

    If (intRowCount > 0) Then

    Call FormatRptTrailer()

    End If



    Set mobjRS = Nothing

    End Sub

    Wednesday, September 3, 2008 5:48 PM

All replies

  • It is vulnerable.

    Set txtEmp to: a'; DROP PROCEDURE GetEmployeeReport--


    Now you first execute the SP and then you drop it

    Tuesday, September 9, 2008 7:09 PM