1. Home
  2. Forums Index
  3. Server Side / Microsoft IIS Web Server and ASP.NET 9:56 am Apr 28, 2026

Forum Moderators: open

Message Too Old, No Replies

avoiding SQL injection attacks

without the need to replace words

         

Simon606

10:58 pm on Nov 19, 2007 (gmt 0)

10+ Year Member



Hi

I have a web 2.0 ASP website that relies on user input. How can I stop SQL injection attacks without the need to replace words like , Join, Select, Delete etc.

I have searched everywhere but cannot find an answer.

Please help

mrMister

4:22 pm on Nov 27, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You only need to replace the occurrences of apostrophes presented in user Data...

Dim strName As String = Request.from("name").replace("'","''")
Dim strSQL As String = "SELECT address FROM users WHERE name = '" & strName & "'"

However...

Ad Hoc SQL is nearly always a bad idea. Consider using parameterized SQL or stored procedures instead.

Ocean10000

9:48 pm on Nov 27, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



These are the links I keep handy for reference for this vary question.

MSDN:How To: Protect From SQL Injection in ASP.NET [msdn2.microsoft.com]

MSDN:How To: Protect From Injection Attacks in ASP.NET [msdn2.microsoft.com]

MSDN:Anti-Cross Site Scripting [msdn2.microsoft.com]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Microsoft IIS Web Server and ASP.NET 9:56 am Apr 28, 2026