A TO Consultant wrote:
Hi All,
I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern matching
to validate strings and/or remove any unwanted characters?
Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will avoid
all use of dynamic sql*, using parameters to pass values instead.
I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and other
data should.
*I am defining dynamic sql as the act of concatenating user input into
sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.