473,324 Members | 2,248 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

checking POST vars for SQL INJECTION

I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items. After checking/escaping them i want to
save them back into the post results. The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks

Jul 22 '05 #1
1 2138
Cogswell wrote:
I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items.
Client-side (pre-submission)? Or server-side (post-submission)? If the
former, ask on a client-side newsgroup such as .scripting.jscript.
After checking/escaping them i want to
save them back into the post results.
This sounds as if you want to do it prior to the form's submission (using
the form's onsubmit event).
The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks

Don't bother. Just pass the values as parameters instead of using dynamic
sql and you won't have to worry about sql injection.

The problem with validation is that:
a) Sometimes legitimate data may resemble malicious code
b) Hackers keep coming up with new ways to mask their injected sql

Without dynamic sql, injection is not possible. And no, this does not mean
all your sql has to be converted to stored procedures (although this can be
a good thing). You can use parameter markers in sql strings to avoid
concatenating your data into the strings. Of course, this techniquer
requires the use of explicit Command objects to pass the parameter values
....

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 22 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: sentinel | last post by:
Hi, Wonder if anyone can help with this problem: I am using an app with several pages, using a session to track vars between the pages, and using an image map to re-direct back and forwards...
8
by: Gerard van Wilgen | last post by:
I have a client-application that uses a socket to post some data to a server-application. The following piece of code in the client takes care of the posting: $sock =...
1
by: NotGiven | last post by:
Steve wrote, > "And read up on "sql injection" attacks (use your favorite search > engine). As indicated, validate input. e.g. if you expert $_GET > to be integer, then do > > $a =...
0
by: Lucas Branca | last post by:
python 2.1.3 Debian woody Apache 1.3.26 mod python 2.7.8 ## ---- formtest.html ---- ## <form action="/formtest.py/main" method="POST"> <input type="submit" value="go" name="action"> <input...
10
by: glenn | last post by:
I am use to programming in php and the way session and post vars are past from fields on one page through to the post page automatically where I can get to their values easily to write to a...
4
by: Sylvain Girard | last post by:
Here's the situation: I need to redirect to another page and post some vars. Response.Redirect doesn't work with post vars (at least not that I know of) and a WebRequest doesn't open the new page...
2
by: Agent Michael Scarn | last post by:
Hello, I need to be able to dynamically display all of the form names from a form I just submitted. I have a javascript which will display all the names of the form on the first page, but i...
4
by: Man-wai Chang | last post by:
I knew the GET way ('called.php?para1=aaa&para2=xxxx'), but how about the POST way? -- iTech Consulting Services Limited Expert of ePOS solutions Website: http://www.itech.com.hk (IE only)...
2
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.