CountForCriteria injection problem

heinscott · Post by **heinscott** » Fri Sep 10, 2010 9:30 am

I have a small problem...
McAfee secure scan is telling me that my site has the possibility of an injection attack. I have an email signup in my footer that I want to use to sign people up to our list IF they are not on any other email list already... Here is the code that causes the error....

Code: Select all

string email = UserEmail.Text;
if (!emailList.IsMember(email) && EmailListUserDataSource.CountForCriteria("Email = '" + email + "'") == 0 && email.Contains("@"))
{
    emailList.ProcessSignupRequest(email);
}

Any ideas how I can make accomplish the same thing in a safe manner?
Thanks for the help!

Scott

AbleMods · Post by **AbleMods** » Sat Sep 11, 2010 10:20 pm

You could hit the database directly and use SQL parameters with the query. But that's kind of a hassle.

But the bigger question is.....how is McAfee seeing your server-side code? That code isn't visible from the client side.

jmestep · Post by **jmestep** » Sun Sep 12, 2010 11:43 am

You could try using some Replace functions in your criteria. I think this article would help:
http://msdn.microsoft.com/en-us/library/ms161953.aspx

jmestep · Post by **jmestep** » Mon Sep 13, 2010 6:36 am

I just remembered this:
Able has a method that should take care of that- StringHelper.SafeSqlString(criteria here)

heinscott · Post by **heinscott** » Mon Sep 13, 2010 10:57 am

Thanks! I will try that SafeSqlString method.

Scott

AbleCommerce Shopping Cart Software

CountForCriteria injection problem

CountForCriteria injection problem

Re: CountForCriteria injection problem

Re: CountForCriteria injection problem

Re: CountForCriteria injection problem

Re: CountForCriteria injection problem