473,231 Members | 1,821 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,231 software developers and data experts.

SQL Injection Attack

37
I have read a number of articles on sanitizing user input before executing SQL queries to prevent SQL injection attacks.

I have a html form which a user can fill in - the information from which is used to INSERT data into a database table. I am using the following asp functions function to remove bad characters from user inputs before using the data to do the INSERT:

<%
function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''")
end function
%>

<%

function killChars(strWords)

dim badChars
dim newChars

badChars = array [4]("select", "drop", ";", "--", "insert",
"delete", "xp_")
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next

killChars = newChars

end function

%>



However I have a memo field as part of the form. The above functions would remove gramatical as well as other information which I dont really want it to do. But if I use the SQL INSERT command a malicious user could easily use the memo field to submit an SQL injection attack.

Is there any way round this. The other method is to use the ADO record set to do the INSERT e.g addnew.

But i've read not use ADO record sets to do insert/updates! Theres no easy way round it is there! I would be glad to know otherwise!
Jan 30 '07 #1
2 2136
scripto
143 100+
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Jan 30 '07 #2
ozzii
37
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Is there any sample code available for a stored procedure in ASP - specifically to exucute an INSERT command?
Jan 30 '07 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

11
by: BTR | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
4
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can trace such an attack?
5
by: TCORDON | last post by:
What is the best way to protect a site against it? Does anyone have a RegEx to help validate user input? TIA!
10
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form...
4
by: ss | last post by:
hi, can anybody gives me a sample code where the sql injection attack is validated. how can i do that in business logic layer and pass the error to the presentation tier I want the sample...
1
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate stored procs for them dynamically based off input...
29
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch to something like Apache but I'm not sure if SQL...
16
by: shank | last post by:
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - - GET /sresult.asp...
2
Frinavale
by: Frinavale | last post by:
SQL Injection Attack A database is a collection of information organised in such a way that allows computer programs to access data (even large amounts) quickly and easily. Data within a database is...
16
by: ChipR | last post by:
Since we're talking about filters, make sure you also use a filter for semicolons (at the minimum) on any input that is going directly into an SQL statement to prevent your entire database from being...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, youll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.