Welcome to WebmasterWorld Guest from

Forum Moderators: ocean10000

Message Too Old, No Replies

avoiding SQL injection attacks

without the need to replace words

10:58 pm on Nov 19, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 9, 2006
votes: 0


I have a web 2.0 ASP website that relies on user input. How can I stop SQL injection attacks without the need to replace words like , Join, Select, Delete etc.

I have searched everywhere but cannot find an answer.

Please help

4:22 pm on Nov 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 24, 2005
votes: 0

You only need to replace the occurrences of apostrophes presented in user Data...

Dim strName As String = Request.from("name").replace("'","''")
Dim strSQL As String = "SELECT address FROM users WHERE name = '" & strName & "'"


Ad Hoc SQL is nearly always a bad idea. Consider using parameterized SQL or stored procedures instead.

9:48 pm on Nov 27, 2007 (gmt 0)


WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
votes: 3

These are the links I keep handy for reference for this vary question.

MSDN:How To: Protect From SQL Injection in ASP.NET [msdn2.microsoft.com]

MSDN:How To: Protect From Injection Attacks in ASP.NET [msdn2.microsoft.com]

MSDN:Anti-Cross Site Scripting [msdn2.microsoft.com]