mike55 Posted August 15, 2005 Posted August 15, 2005 Hi Am uploading a .CSV file from a clients machine to a web server, the program is then to loop through the .CSV file and upload the data to SQL Server 2000 database. What is the most appropriate manner for detemining if the .CSV file has javascript or anyother malicious scripts hidden in it? Mike55 Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
FZelle Posted August 15, 2005 Posted August 15, 2005 a csv-File is in no way a place to host anything but data, because nothing in it is executable. It is read line by line, seperated into the app. blocks and than send to the DB. If you use CommandParameters ther is nothing to be done. Quote
mike55 Posted August 15, 2005 Author Posted August 15, 2005 (edited) a csv-File is in no way a place to host anything but data, because nothing in it is executable. It is read line by line, seperated into the app. blocks and than send to the DB. If you use CommandParameters ther is nothing to be done. Ok, When the file is uploaded to the web server, it is read and a temporary table is created and the data is transfered, line-by-line, into this new table. So correct me if I am wrong, if I had a script that deletes the entire database in one of the blocks, I don't have to worry about it as it cannot be executed at all. So effectively, I now have a block of dangerous script sitting in my datatable. Is there not a major risk/chance that the person who inserted the data in the .CSV file first time may try and execute the script from the database table? Mike55 Edited August 15, 2005 by mike55 Quote A Client refers to the person who incurs the development cost. A Customer refers to the person that pays to use the product. ------ My software never has bugs. It just develops random features. (Mosabama vbforums.com)
kejpa Posted August 16, 2005 Posted August 16, 2005 It all depends on what you do with the data stored. If you present it in a browser you could end up infecting the clients that visit your site. If you do an EXEC in a database on the data stored in the table there might be a risk for dropping the database if a evil user add such statements in the csv. But I guess you have checks for the uploaded data when inserting it to the database table(s) Be careful with large textblocks and binary data, and decode/escape potential risk fields. HTH /Kejpa Quote
FZelle Posted August 16, 2005 Posted August 16, 2005 Maybee there is a small missunderstanding of a few buzzwords. SqlInjection kann only occure when you don't use the ParamaterCollection. Only if you use something like SqlString = "Insert INTO TheTable (Val1 ) Values ( '"+Textbox1.Text+"')"; Here you can insert malicious code. If you use it this way, it is save SqlString = "Insert INTO TheTable (Val1 ) Values ( @Val1)"; Cmd.Parameters.Add("@Val1", OleDbType.String,255).Value=TextBox1.Text; The StoreProcedures in a DataBase are in a seperate place. When there is something like a malicious sql-statement in a Table, it doesn't matter, because it will never be executet. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.