471,573 Members | 1,738 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,573 software developers and data experts.

SQL Injection Attack

37
I have read a number of articles on sanitizing user input before executing SQL queries to prevent SQL injection attacks.

I have a html form which a user can fill in - the information from which is used to INSERT data into a database table. I am using the following asp functions function to remove bad characters from user inputs before using the data to do the INSERT:

<%
function stripQuotes(strWords)
stripQuotes = replace(strWords, "'", "''")
end function
%>

<%

function killChars(strWords)

dim badChars
dim newChars

badChars = array [4]("select", "drop", ";", "--", "insert",
"delete", "xp_")
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next

killChars = newChars

end function

%>



However I have a memo field as part of the form. The above functions would remove gramatical as well as other information which I dont really want it to do. But if I use the SQL INSERT command a malicious user could easily use the memo field to submit an SQL injection attack.

Is there any way round this. The other method is to use the ADO record set to do the INSERT e.g addnew.

But i've read not use ADO record sets to do insert/updates! Theres no easy way round it is there! I would be glad to know otherwise!
Jan 30 '07 #1
2 1947
scripto
143 100+
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Jan 30 '07 #2
ozzii
37
use a SQL stored procedure and pass the input values as parameters - that's the only way to fly.
Is there any sample code available for a stored procedure in ASP - specifically to exucute an INSERT command?
Jan 30 '07 #3

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

4 posts views Thread by poppy | last post: by
5 posts views Thread by TCORDON | last post: by
1 post views Thread by Doug | last post: by
29 posts views Thread by sinbuzz | last post: by
16 posts views Thread by shank | last post: by
reply views Thread by XIAOLAOHU | last post: by
reply views Thread by Vinnie | last post: by
reply views Thread by lumer26 | last post: by
reply views Thread by lumer26 | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.