Welcome to WebmasterWorld Guest from 54.82.99.169

Forum Moderators: ocean10000

Message Too Old, No Replies

avoiding SQL injection attacks

without the need to replace words

     
10:58 pm on Nov 19, 2007 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 9, 2006
posts:49
votes: 0


Hi

I have a web 2.0 ASP website that relies on user input. How can I stop SQL injection attacks without the need to replace words like , Join, Select, Delete etc.

I have searched everywhere but cannot find an answer.

Please help

4:22 pm on Nov 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 24, 2005
posts:965
votes: 0


You only need to replace the occurrences of apostrophes presented in user Data...

Dim strName As String = Request.from("name").replace("'","''")
Dim strSQL As String = "SELECT address FROM users WHERE name = '" & strName & "'"

However...

Ad Hoc SQL is nearly always a bad idea. Consider using parameterized SQL or stored procedures instead.

9:48 pm on Nov 27, 2007 (gmt 0)

Administrator

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

joined:Jan 14, 2004
posts:864
votes: 3


These are the links I keep handy for reference for this vary question.

MSDN:How To: Protect From SQL Injection in ASP.NET [msdn2.microsoft.com]

MSDN:How To: Protect From Injection Attacks in ASP.NET [msdn2.microsoft.com]

MSDN:Anti-Cross Site Scripting [msdn2.microsoft.com]