By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,934 Members | 1,677 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,934 IT Pros & Developers. It's quick & easy.

Validating User Input to Avoid Attacks

P: n/a
Hi All,

I am working on a web application that uses both asp classic and asp.net
pages. We need to validate user input to avoid attacks like sql injection.
Can a component be created that both page types can use? Is that the best
approach? Would I simply use pattern matching to validate strings and/or
remove any unwanted characters?

Thanks in advance.
Jul 12 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a
A TO Consultant wrote:
Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern matching
to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will avoid
all use of dynamic sql*, using parameters to pass values instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and other
data should.

*I am defining dynamic sql as the act of concatenating user input into
sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #2

P: n/a
Thanks Bob.

When you say to use parameters to pass values instead, do you mean to use
stored procedures and call them with the values as parameters?

"Bob Barrows [MVP]" wrote:
A TO Consultant wrote:
Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern matching
to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will avoid
all use of dynamic sql*, using parameters to pass values instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and other
data should.

*I am defining dynamic sql as the act of concatenating user input into
sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #3

P: n/a
That's my preferred technique, but it's not necessary. Both ADO and
ADO.Net allow the use of parameter markers to facilitate the passing of
parameter values into ad hoc sql strings. Here is a description of the
ADO implementation of this:

http://groups-beta.google.com/group/...e36562fee7804e
A TO Consultant wrote:
Thanks Bob.

When you say to use parameters to pass values instead, do you mean to
use stored procedures and call them with the values as parameters?

"Bob Barrows [MVP]" wrote:
>A TO Consultant wrote:
>>Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern
matching to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will
avoid all use of dynamic sql*, using parameters to pass values
instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and
other data should.

*I am defining dynamic sql as the act of concatenating user input
into sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get
a quicker response by posting to the newsgroup.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.