CSV files

mike55

mike55

Well-known member
Joined
Mar 26, 2004
Messages
726
Location
Ireland
Hi

Am uploading a .CSV file from a clients machine to a web server, the program is then to loop through the .CSV file and upload the data to SQL Server 2000 database.

What is the most appropriate manner for detemining if the .CSV file has javascript or anyother malicious scripts hidden in it?

Mike55
 
a csv-File is in no way a place to host anything but data, because nothing in it
is executable.

It is read line by line, seperated into the app. blocks and than send to the DB.

If you use CommandParameters ther is nothing to be done.
 
FZelle said:
a csv-File is in no way a place to host anything but data, because nothing in it
is executable.

It is read line by line, seperated into the app. blocks and than send to the DB.

If you use CommandParameters ther is nothing to be done.
Click to expand...

Ok,

When the file is uploaded to the web server, it is read and a temporary table is created and the data is transfered, line-by-line, into this new table. So correct me if I am wrong, if I had a script that deletes the entire database in one of the blocks, I dont have to worry about it as it cannot be executed at all.

So effectively, I now have a block of dangerous script sitting in my datatable. Is there not a major risk/chance that the person who inserted the data in the .CSV file first time may try and execute the script from the database table?

Mike55
 
Last edited by a moderator:
It all depends on what you do with the data stored.
If you present it in a browser you could end up infecting the clients that visit your site.
If you do an EXEC in a database on the data stored in the table there might be a risk for dropping the database if a evil user add such statements in the csv.

But I guess you have checks for the uploaded data when inserting it to the database table(s)
Be careful with large textblocks and binary data, and decode/escape potential risk fields.

HTH
/Kejpa
 
Maybee there is a small missunderstanding of a few buzzwords.

SqlInjection kann only occure when you dont use the ParamaterCollection.
Only if you use something like
Code: 
  SqlString = "Insert INTO TheTable (Val1 ) Values ( "+Textbox1.Text+")";
Here you can insert malicious code.
If you use it this way, it is save
Code: 
  SqlString = "Insert INTO TheTable (Val1 ) Values ( @Val1)";
  Cmd.Parameters.Add("@Val1", OleDbType.String,255).Value=TextBox1.Text;

The StoreProcedures in a DataBase are in a seperate place.

When there is something like a malicious sql-statement in a Table, it doesnt matter,
because it will never be executet.
 
Back
Top