checking POST vars for SQL INJECTION - ASP / Active Server Pages

Cogswell

I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items. After checking/escaping them i want to
save them back into the post results. The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks

Jul 22 '05 #1

Subscribe Reply

2152

Bob Barrows [MVP]

Cogswell wrote:

I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items.
Client-side (pre-submission)? Or server-side (post-submission)? If the
former, ask on a client-side newsgroup such as .scripting.jscr ipt.
After checking/escaping them i want to
save them back into the post results.
This sounds as if you want to do it prior to the form's submission (using
the form's onsubmit event).
The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks

Don't bother. Just pass the values as parameters instead of using dynamic
sql and you won't have to worry about sql injection.

The problem with validation is that:
a) Sometimes legitimate data may resemble malicious code
b) Hackers keep coming up with new ways to mask their injected sql

Without dynamic sql, injection is not possible. And no, this does not mean
all your sql has to be converted to stored procedures (although this can be
a good thing). You can use parameter markers in sql strings to avoid
concatenating your data into the strings. Of course, this techniquer
requires the use of explicit Command objects to pass the parameter values
....

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Jul 22 '05 #2

Similar topics

3988

GET / POST conflict in a multi-page form.

by: sentinel | last post by:

Hi, Wonder if anyone can help with this problem: I am using an app with several pages, using a session to track vars between the pages, and using an image map to re-direct back and forwards between the pages. The way I redirect is when the image map is clicked on, it posts to a page called 'control.php' which passes the POST vars to the

PHP

4524

Post-problem

by: Gerard van Wilgen | last post by:

I have a client-application that uses a socket to post some data to a server-application. The following piece of code in the client takes care of the posting: $sock = fsockopen("www.majstro.com", 80, $errno, $errstr, 30); if ($sock) { $data = 'a=0&b=1'; fputs($sock, "POST /Web/Majstro/SD_Server.php HTTP/1.0\r\n"); fputs($sock, "Host: www.majstro.com\r\n");

PHP

1761

recommendations/links for learning hwo to write POST/GET scrtips to thwart sql injection

by: NotGiven | last post by:

Steve wrote, > "And read up on "sql injection" attacks (use your favorite search > engine). As indicated, validate input. e.g. if you expert $_GET > to be integer, then do > > $a = intval($_GET);" I want to learn how to incorporate defenses into my code to thward a sql injection attach. Please recommend links that discuss actual code defenses, not just what the attach is.

PHP

1634

mod_python has empty POST

by: Lucas Branca | last post by:

python 2.1.3 Debian woody Apache 1.3.26 mod python 2.7.8 ## ---- formtest.html ---- ## <form action="/formtest.py/main" method="POST"> <input type="submit" value="go" name="action"> <input type="hidden" name="hide" value="A"> </form>

Python

3435

asp question about post vars

by: glenn | last post by:

I am use to programming in php and the way session and post vars are past from fields on one page through to the post page automatically where I can get to their values easily to write to a database or continue to process on to the next page. I am now trying to learn ASP to see if we can replace some of our applications that were written in php with an ASP alternative. However, after doing many searches on google and reading a couple...

ASP.NET

1892

Post vars to URL

by: Sylvain Girard | last post by:

Here's the situation: I need to redirect to another page and post some vars. Response.Redirect doesn't work with post vars (at least not that I know of) and a WebRequest doesn't open the new page (at least not that I know of). How can this thing be resolved? *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it!

ASP.NET

1536

Displaying Form Names on Post Page

by: Agent Michael Scarn | last post by:

Hello, I need to be able to dynamically display all of the form names from a form I just submitted. I have a javascript which will display all the names of the form on the first page, but i need them displayed on the post page. Any help would be greatly appreciated!

Javascript

1499

sending a post to another php script

by: Man-wai Chang | last post by:

I knew the GET way ('called.php?para1=aaa&para2=xxxx'), but how about the POST way? -- iTech Consulting Services Limited Expert of ePOS solutions Website: http://www.itech.com.hk (IE only) Tel: (852)2325 3883 Fax: (852)2325 8288

PHP

2226

question about validation and sql injection

by: Sudhakar | last post by:

A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username should only begin either letters or numbers, and Underscore character example = user123, 123user, u_ser123, user_123 = completely case insensitive

PHP

8944

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9306

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

9234

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9180

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

8186

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

4548

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

4805

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3259

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

2721

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP