Wednesday, August 9th, 2006
Not everyone out there teaching Ajax methods knows quite what they’re doing sometimes – as Dan Morrill found out. The training session he had been going to was coming along just fine until they began talking about “properly formatted XML” and their query to grab the database info for it.
I am in AJAX training this week learning the process of “properly formatted XML”. They have us going through, writing code, getting data out of databases, all the things that you would normally do with tabulated code. Just one problem (spot the errors with this code set).code
- strConnstring = "server=(local); Driver=(SQL server); database=(DbCustomers); UID="name"; PWD="secret"
- strSearch = "SELECT * FROM tblCustomers WHERE ustid=' " & strSearch & "'"
Honestly and no kidding this was the code set they were using for the select statement read string for the AJAX application.
There are at least a few errors in there – 1 cross-site scripting issue, 2 SQL injection points, and a problem with the resulting URL where the user can access things he shouldn’t. Add that together with the database running on the same machine, and it spells trouble. He also comments on the quality of some of the training out there:
AJAX is only as good as the examples that the developers have, while it is great to have properly formatted XML and HTML as the output, the basics of information security still have to apply to the process. AJAX is a really great way of embedding dynamic data into a web page without having to go through the entire page load process that we otherwise work with on a Web Server.
But AJAX is not an excuse for following very poor coding practices that have been pretty well deprecated over the last couple of years since cross site scripting and SQL injection have become pretty familiar terms to many in the IT industry.
Posted by Chris Cornutt at 7:52 am