Thread: SQl Injection through ASP and MS SQl 2000
View Single Post
  #4 (permalink)  
Old 11-24-07, 03:32 PM
MadDog MadDog is offline
Code Master
  
Join Date: Aug 2003
Posts: 935
Thanks: 0
Thanked 0 Times in 0 Posts
SQL injection allows anyone to break a SQL statement and destroy your database.

The best way to prevent this is to strip anything you might put into a SQL statement.

A simple SQL Inject would be:

URL Should be: yourpage.asp?ID=1
But someone enters: yourpage.asp?ID=1;Drop Table TableName;
That would drop the table "TableName" from your database!

To prevent that, your number should be filtered, so you would use Clng or Cint
Code:
intItemNumber = Clng(Request("ID"))

strSQL = "SELECT * From TableName WHERE ID=" & ID & ";"
If your passing a string, you only need to filter out one thing, the ' character:
Code:
strString = Replace(Request("Name"), "'", "''")

strSQL = "SELECT * From TableName WHERE Name='" & strString & "';"
Now you should look up XSS hacks and how to prevent that if you allow user inputs.
__________________
Drew Gauderman
ASP - MSSQL Coder / Buisness Owner / Coder for Hire!
MSN-ICQ-AIM-YIM in Profile
http://www.iportalx.net an easy ASP portal system.
Reply With Quote