ASP hack

how to hack a web site written in ASP. For example a web page let you input a date and access a database to retrieve your billing history. In order to do that the web page will need to construct a SQL statement to pass to the database. The SQL statement could be like this
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘YourUserName’ and Date= ‘InputDate’
The web page could construct the SQL statement by concatenating
Select BillingDate, Amount, Description From BillingTable Where UserName= ‘You’ and Date=’ with the date you input and then concatenating a single quote
In that case if the hacker knows that your database has a table called Users and there is LoginName and Password field. He can pass this as the input date.
4/20/2008′ union select ‘ ’ , ‘ ’, LoginName + ‘ ’ + Password from User - -
The two dashes at the end tell SQL server to ignore the last single quote concatenated to the statement. Essentially the statement constructed not only display the billing history but also display all users login.
Of course a hacker can only do this if the web site doesn’t do validity check on the date input. If that is the case this security hole is in fact open up the entire database to the hacker because it can use it to query your system tables and discover your database structure.