|
I have read a number of articles on sanitizing user input before executing SQL queries to prevent SQL injection attacks.
I have a html form which a user can fill in - the information from which is used to INSERT data into a database table. I am using the following asp functions function to remove bad characters from user inputs before using the data to do the INSERT:
<%
function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''")
end function
%>
<%
function killChars(strWords)
dim badChars
dim newChars
badChars = array [4]("select", "drop", ";", "--", "insert",
"delete", "xp_")
newChars = strWords
for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next
killChars = newChars
end function
%>
However I have a memo field as part of the form. The above functions would remove gramatical as well as other information which I dont really want it to do. But if I use the SQL INSERT command a malicious user could easily use the memo field to submit an SQL injection attack.
Is there any way round this. The other method is to use the ADO record set to do the INSERT e.g addnew.
But i've read not use ADO record sets to do insert/updates! Theres no easy way round it is there! I would be glad to know otherwise!
| 
