Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter


Web application script injection

 

If the input of a web application is displayed directly in the screen, it is possible to add code to it and execute it.

 

Example: A web application that gets a user name and displays a welcome message with that name.

 

The usual ASP and PHP versions, named “welcome.asp” and “welcome.php”, respectively.

 

welcome.asp

 

<html>

<head><title>Welcome!</title>

</head>

<body>

<center><h3>What is your name?</h3></center>

<br>

<form action="welcome.asp" method="post">

Name: <input type="text" name="VisitorName" size="20">

<input type="submit" value="Submit">

</form>

<br>

<%

Dim StrName

StrName=Request.Form("VisitorName")'get input

if StrName<>"" then

      Response.Write("Welcome " & StrName & "!")'write name on page

end if

%>

</body>

</html>

 

welcome.php

 

<html>

<head><title>Welcome!</title>

</head>

<body>

<center><h3>What is your name?</h3></center>

<br>

<form action="welcome.php" method="post">

Name: <input type="text" name="VisitorName" size="20">

<input type="submit" value="Submit">

</form>

<br>

<?

if (!isset($_REQUEST['VisitorName'])) //get input

  $StrName='';

 else

  $StrName=$_REQUEST['VisitorName'];

if ($StrName!='')

  echo ('Welcome '.$StrName.'!');//write on page

?>

</body>

</html>

 

The following code will be executed when submitted:

 

<SCRIPT>alert(document.cookie);</SCRIPT>


 


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm
 

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright © 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter