469,268 Members | 1,010 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,268 developers. It's quick & easy.

SQL Injection Attack

37
I have read a number of articles on sanitizing user input before executing SQL queries to prevent SQL injection attacks.

I have a html form which a user can fill in - the information from which is used to INSERT data into a database table. I am using the following asp functions function to remove bad characters from user inputs before using the data to do the INSERT:

<%
function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''")
end function
%>

<%

function killChars(strWords)

dim badChars
dim newChars

badChars = array [4]("select", "drop", ";", "--", "insert",
"delete", "xp_")
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next

killChars = newChars

end function

%>



However I have a memo field as part of the form. The above functions would remove gramatical as well as other information which I dont really want it to do. But if I use the SQL INSERT command a malicious user could easily use the memo field to submit an SQL injection attack.

Is there any way round this. The other method is to use the ADO record set to do the INSERT e.g addnew.

But i've read not use ADO record sets to do insert/updates! Theres no easy way round it is there! I would be glad to know otherwise!
Jan 30 '07 #1
2 1857
scripto
143 100+
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Jan 30 '07 #2
ozzii
37
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Is there any sample code available for a stored procedure in ASP - specifically to exucute an INSERT command?
Jan 30 '07 #3

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

4 posts views Thread by poppy | last post: by
5 posts views Thread by TCORDON | last post: by
1 post views Thread by Doug | last post: by
29 posts views Thread by sinbuzz | last post: by
16 posts views Thread by shank | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.