Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: ocean10000
[edited by: Demaestro at 6:12 pm (utc) on Dec 6, 2011]
ithe code they send is ENCODED, so you can't check what it is
Can anyone assist on how to prevent this sql injection.
He might not be able to pay thousands of dollars to secure it correctly, but I think he should still be allowed to compete in the marketplace.
You can program your way out of a wet bag, but can't have all possible UI leaks detected, there's way too many points of entry, and for any small company it is commonly cost prohibitive.
Now, with a limited input field of 128 characters, if you don't find any word breaks in those 128 characters like multiple spaces, periods or commas, reject it.
Several common sense techniques will stop those encoded injections dead in their tracks.
[edited by: Ocean10000 at 2:22 am (utc) on Dec 8, 2011]
[edit reason] Adding line breaks for display. [/edit]
Set OBJdbConnection = Server.CreateObject("ADODB.Connection")
OBJdbConnection.Open "Provider=sqloledb;Data Source=somesite.com;Initial Catalog=somecatalog;User Id=sa;Password=somepwd;"
xid = Request.Form.Item("someid")
SQL_query = "SELECT * FROM sometable WHERE (tblid = "&xid&")"
Set rs = OBJdbConnection.Execute(SQL_query)
xname = rs("name")
incrediBILL, come on. DO you post here, or what? This Quick Reply box on the forum, how long of a string does it accept?
In fact, even I would shut down several of our small non-profit sites rather than doing extensive and EXPENSIVE hole plugging.
Obviously my code does specific filtering at field levels in the actual application itself
That is what I was referring to when I said "extensive and expensive". Because you have to build this infrastructure in, so if it isn't already present it is an extensive application mod