Velocity Reviews - checking POST vars for SQL INJECTION

Cogswell wrote:
> I am working on an ecommerce app and want to be able to take my entire
> POST results as one item (or iterate through them) and check for any
> malicious SQL INJECTION items.

Client-side (pre-submission)? Or server-side (post-submission)? If the
former, ask on a client-side newsgroup such as .scripting.jscript.

> After checking/escaping them i want to
> save them back into the post results.

This sounds as if you want to do it prior to the form's submission (using
the form's onsubmit event).

> The reason for this is because I
> have coded the entire app and just learned about the dangers of SQL
> Injection and rather than going through every post var and fix it I
> would rather run a function at the beginning of each page. Any ideas?
>
> Thanks
Don't bother. Just pass the values as parameters instead of using dynamic
sql and you won't have to worry about sql injection.

The problem with validation is that:
a) Sometimes legitimate data may resemble malicious code
b) Hackers keep coming up with new ways to mask their injected sql

Without dynamic sql, injection is not possible. And no, this does not mean
all your sql has to be converted to stored procedures (although this can be
a good thing). You can use parameter markers in sql strings to avoid
concatenating your data into the strings. Of course, this techniquer
requires the use of explicit Command objects to pass the parameter values
....

Bob Barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.