Re: SQL Security in ASP

From: Refd0m (refdom@xfocus.org)
Date: 09/17/02

Next message: Fernando G. Guerrero: "Re: Field Encryption"
Previous message: Sue Hoegemeier: "Re: READ ONLY databases"
In reply to: CJM: "SQL Security in ASP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Refd0m" <refdom@xfocus.org>
Date: Tue, 17 Sep 2002 09:37:07 +0800

hi,

You must also focus the SQL filter in ASP,it's a serious security
problem.You can read some article about "SQL injection".

I write a filter function.

Function Filter_SQL(strData)

  Dim strFilter
  Dim blnFlag
  Dim i

strFilter="',;,//,--,@,_,exec,declare" 'character that must be
filtered, ',' is a separator.
blnFlag=Flase 'filter flag. TRUE must be filtered.

  Dim arrayFilter
  arrayFilter=Split(strFilter,",")
  For i=0 To UBound(arrayFilter)
     If Instr(strData,arrayFilter(i))>0 Then
        blnFlag=True
  Exit For
     End If
  Next

  If blnFlag Then
     Response.Redirect "wrong.asp"
  Else
     Filter_SQL=strData
  End If

End Function

--
--------------------
Refd0m
Homepage: www.xfocus.org
          www.opengram.com
------------------
"CJM" <cjmwork@yahoo.co.uk> 写入消息新闻:eqThtDaXCHA.1788@tkmsftngp12...
> I am developing the the first of several intranet applications that access
> SQL 2000 through ASP. This is my first time doing this; previously I've
> always used Access97/2k.
>
> I'm am trying to settle on a security model, that is effective, but is
quick
> and not cumbersome. Following on from my Access work, I realise I could
use
> the same technicque: have users login in to the site and restrict access
to
> the DB by restricting users access to certain ASPs and by checking the
user
> credentials on a page by page basis.... basically, keeping unauthorised
> users away from particular application functions.
>
> This has always worked well for me, and would be fine in this scenario.
> However, since I am creating the first of many, and since SQL has fairly
> sophisticated security features (to the layman) built-in, I though now
would
> be a suitable time to change to a new regime.
>
> So...... do I stick with what I have got, or are there some neat features
in
> SQL that can help me do a better job?
>
> To re-iterate, I think I'm more interested in function-level security that
> field-level security, so solutions that go down to the nth degree wont be
> appropriate.
>
> Cheers
>
> CJM
>
>
>
>
>

Next message: Fernando G. Guerrero: "Re: Field Encryption"
Previous message: Sue Hoegemeier: "Re: READ ONLY databases"
In reply to: CJM: "SQL Security in ASP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: How to restrict users to see data in a mutiuser environment?
... interested setting up workgroup security. ... ' Gets the userid of the current user. ... Dim Length As Long ... which you open the form you want to filter. ...
(microsoft.public.access.modulesdaovba)
RE: How to restrict users to see data in a mutiuser environment?
... ' Gets the userid of the current user. ... Dim Length As Long ... If you plan to use workgroup security, you could assign users to groups by ... which you open the form you want to filter. ...
(microsoft.public.access.modulesdaovba)
Re: Set Security on using VBA in saved Access Query
... This works just after security has been set for the user by cheching ... SQL). ... Dim db As DAO.database ... Dim qryCriteria As DAO.QueryDef ...
(comp.databases.ms-access)
Re: How do I set the default value so that it includes all values?
... SQL as far as I know. ... Dim stsLNAMEFilter As String ... We have our filter with just what we want. ...
(microsoft.public.access.formscoding)
Re: Which identity?
... > Some postings I read suggested using MAXto retrieve the inserted record ... > each of these 3 SQL features? ... Another way to do it if using the .AddNew method on a Jet based ADO ... Dim rsTest As ADODB.Recordset ...
(microsoft.public.access.queries)