Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Prevent SQL injection error

Reply
Thread Tools

Prevent SQL injection error

 
 
S N
Guest
Posts: n/a
 
      05-01-2009
Kindly provide me with a standard vbscript code which i can insert in my asp
search page such that it eliminates sql injection error.

uandme72


 
Reply With Quote
 
 
 
 
Bob Barrows
Guest
Posts: n/a
 
      05-01-2009
S N wrote:
> Kindly provide me with a standard vbscript code which i can insert in
> my asp search page such that it eliminates sql injection error.
>

http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers (tokens):
http://groups-beta.google.com/group/...e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:

Access:
http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl

http://groups.google.com/groups?hl=e...tngp13.phx.gbl

SQL Server:
http://groups.google.com/group/micro...09dc1701?hl=en



--
HTH,
Bob Barrows


 
Reply With Quote
 
 
 
 
S N
Guest
Posts: n/a
 
      05-02-2009
How about using the following function in the code to prevent sql injection.

Private Function SQLInjectionBlock(ByVal blnLogBadRequest, ByVal strBuffer,
ByVal enmStrength)

Dim blnAlreadyLogged

Dim arrExtended

Dim arrCommon

Dim lngID

'--Make sure we have a valid buffer before working with it

If Trim(strBuffer) = "" Then

Exit Function

End If

'--Setup the common array values (you can modify as needed)

arrCommon = Array("'", """", ";", "*", ",", "--", "(", ")", "=")

'--Setup the extended array values (you can modify as needed, I just setup a
few)

'--

'--Please note that the high strngth could have undesired effects.

'--If someone has a dog named "Thor" and they use that as a username then

'--it will be striped to "Th" so be careful.

'--

arrExtended = Array("SELECT", "FROM", "WHERE", "AND", "OR")

'--Clear any and all instances of the of the buffer that match the

'--the common array

For lngID = lBound(arrCommon) To uBound(arrCommon)

'--If we are logging this and it has not already been logged and the

'--buffer contains a match then log it

If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
arrCommon(lngID)) > 0 Then

Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

blnAlreadyLogged = True

End If

strBuffer = Replace(strBuffer, arrCommon(lngID), "")

Next

'--If the extra strngth is requested, then setup that array too

If enmStrength > 0 Then

'--Clear any and all instances of the of the buffer that match the

'--the extended array

For lngID = lBound(arrExtended) To uBound(arrExtended)

'--If we are logging this and it has not already been logged and the

'--buffer contains a match then log it

If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
arrCommon(lngID)) > 0 Then

Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

blnAlreadyLogged = True

End If

strBuffer = Replace(strBuffer, arrExtended(lngID), "")

Next

End If

'--Return the modified buffer

SQLInjectionBlock = strBuffer

'--Clear the resources used by the arrays

Erase arrCommon

Erase arrExtended

End Function







"Bob Barrows" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>S N wrote:
>> Kindly provide me with a standard vbscript code which i can insert in
>> my asp search page such that it eliminates sql injection error.
>>

> http://mvp.unixwiz.net/techtips/sql-injection.html
> http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
>
> See here for a better, more secure way to execute your queries by using
> parameter markers (tokens):
> http://groups-beta.google.com/group/...e36562fee7804e
>
> Personally, I prefer using stored procedures, or saved parameter queries
> as they are known in Access:
>
> Access:
> http://www.google.com/groups?hl=en&l...TNGP12.phx.gbl
>
> http://groups.google.com/groups?hl=e...tngp13.phx.gbl
>
> SQL Server:
> http://groups.google.com/group/micro...09dc1701?hl=en
>
>
>
> --
> HTH,
> Bob Barrows
>
>



 
Reply With Quote
 
Bob Barrows
Guest
Posts: n/a
 
      05-02-2009
S N wrote:
> How about using the following function in the code to prevent sql
> injection.

<snip of a typical filter function>

It might help against a less-determined hacker*, but the only way to
absolutely prevent sql injection is to stop using dynamic sql. Without
dynamic sql, injecting unwanted sql is almost impossible. Secondary sql
injection is still possible, so you do have to be careful with values
retrieved from a database that were entered via user input. No data entered
by users should be trusted.

I really cannot understand this love affair that people have with dynamic
sql, when it is so easy to use parameters. Dynamic sql is hard! Having to
deal with delimiters, quotes in the data, etc. ... it's no wonder that
dynamic sql questions were so common in these groups up to a few years ago.
Using parameters does away with all those issues. It amazes me that this is
not the tool of first resort when teaching beginners how to program with
databases.

There is only one situation where dynamic sql is necessary, and that is
where database objects (table or column names) referred to in a sql
statement need to be variable. In that situation, it is possible to prevent
sql injection by validating the data passed from the user contains nothing
more than the expected object names.


* and if you read the comments in the function you will see that it might
prevent the entry of innocent data.
--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
email validation: just enough to prevent sql injection e_matthes@hotmail.com Javascript 7 10-29-2006 05:42 PM
Help SQL Injection Attack Question - newbie to web security Ranginald ASP .Net 10 04-27-2006 12:53 AM
SQL injection MattB ASP .Net 10 03-31-2005 05:57 PM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments