none
ASP.net, C#, WebSite, DropDownList, run SQL, and update Textboxes, open to SQL Injection RRS feed

  • General discussion

  • I'm using a javascript to run a sql select and update the textboxes on the asp.net, c# page, when the user changes the value. The nessus security report shows that it is open to sql injection and was able to cause an injection to overload the server. The script exposes the column and table name for the dropdownlist. I think this line listed below is the script the security report is referring to. It is excerpted from the code listing that follows. I tried an update with the asp.dropdownlist but couldn't seem to get it to run the query with the page load without causing a page refresh, which loses the input the user has entered. Is there a way to make this javascript secure, or is it better to run the script in c#? Isn't the IIS suppose to be rejecting insecure script requests? 

                        courses.forEach(function (course) {
                            var value = course.RecordID + '|' + course.CourseCode + '|' + course.Title;
                            html += '<option value="' + value + '">' + course.Title + '</option>';


    script listing

        <script type="text/javascript">
            function load() {
                var xhttp = new XMLHttpRequest();
                xhttp.open('post', 'instructorcourse.aspx/GetCourseTitles', true);
                xhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
                xhttp.setRequestHeader('Content-Type', 'application/json');
                xhttp.onreadystatechange = function () {
                    if (xhttp.readyState == XMLHttpRequest.DONE && xhttp.status == 200) {
                        var $titlesDropDown = document.getElementById('DropDownList1'),
                            courses = JSON.parse(JSON.parse(this.responseText).d),
                            html = '';
                        courses.forEach(function (course) {
                            var value = course.RecordID + '|' + course.CourseCode + '|' + course.Title;
                            html += '<option value="' + value + '">' + course.Title + '</option>';
                        });
                        $titlesDropDown.innerHTML = html;
                    }
                };
                xhttp.send(JSON.stringify({ instructorId: '<%=txtInstructorID.Text%>' }));
            }
            document.addEventListener('DOMContentLoaded', load);

            function changeCourse(e) {
                var temp = e.target.value.split('|'),
                    recordID = parseInt(temp[0]),
                    courseCode = temp[1],
                    title = temp[2];
                document.getElementById('<%=nameof(txtInstructorID)%>').value = recordID;
                document.getElementById('<%=nameof(txtCourseCode)%>').value = courseCode;
                document.getElementById('<%=nameof(txtCourseTitle)%>').value = title;
            }
        </script>

    • Edited by ERPISE Wednesday, April 3, 2019 9:20 PM
    • Moved by CoolDadTx Wednesday, April 3, 2019 9:35 PM ASP.NET related
    • Changed type ERPISE Thursday, April 4, 2019 4:17 PM Changing forum
    Wednesday, April 3, 2019 9:14 PM

All replies