Re: SQL Injection Code Help
- From: Jody <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Jun 2006 20:03:02 -0700
Sorry but I am a newbie. What do you mean by paramertize?
"Dan Guzman" wrote:
Note that you can parameterize SQL Statements even without procs. Perhaps a.
phased implementation will get you there faster.
--
Hope this helps.
Dan Guzman
SQL Server MVP
"Jody" <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1F902517-1CEF-43E4-B669-C3DE2B1F116B@xxxxxxxxxxxxxxxx
Yes I believe that would be the way to go but there is a large learning
curve
here. My thinking was as a first line of defense was to limit the
permissible characters in all the fields of each of the forms first, then
work on stored procedures angle.
This is a very large site and I am just learning about it and best
practice,
not to mention learning to code. Therefore It feels more efficient to put
in
snippets of code in the forms first then hire a consultant to do the rest.
If you have some code example we could easily implement for each field
that
would be most appreciated.
Thanks - Jody
"Jody" wrote:
I have a client who needs help securing their website site from SQL
injection, which has already occurred. We have locked down the SQL
server
end of things pretty well but need to cleanup and secure the code. The
pages
are ASP pages are written in mostly HTML and Visual Basic Script.
What we need to learn how to do quickly (very newbie at this) is to set
all
form fields to only allow the following characters so no SQL instructions
will be accepted into any given form field
We want to only allow allow: abcdefghijklmnopqrstuvwzyz1234567890 @ . -
_
If an apostrophe is entered we want it to be converted to two apostrophes
with a space between them so ( ' ) would then be changed to ( ' ' ) and
any
double hyphens entered ( -- ) gets a space added between them ( - - ) or
some
other safe elimination of the double SQL hyphen.
The other (2nd priority item) would be to help us hide and/or password
protect the non-public db update forms.
Here is a sample of some of the form code on one of the forms if that
helps.
IF someone is willing to show us what the code is we need to insert to
accomplish this that would VERY appreciated.
<td align="left">*First Name Initial *Last Name<br
/><input type="text" name="bFname" id="bFname" size="21"
onKeyup="autotab(this, document.OD.bmI)" maxlength="30"
tabindex="1"><input
type="text" name="bmI" id="bmI" size="6" onKeyup="autotab(this,
document.OD.bLname)" maxlength="3" tabindex="2"><input type="text"
name="bLname" id="bLname" size="30" onKeyup="autotab(this,
document.OD.bStAddy1)" maxlength="30" tabindex="3"></td>
- Follow-Ups:
- Re: SQL Injection Code Help
- From: pblse
- Re: SQL Injection Code Help
- From: Dan Guzman
- Re: SQL Injection Code Help
- References:
- Re: SQL Injection Code Help
- From: Dan Guzman
- Re: SQL Injection Code Help
- Prev by Date: Re: Setting up Linked server to MsAccess
- Next by Date: Re: SQL Injection Code Help
- Previous by thread: Re: SQL Injection Code Help
- Next by thread: Re: SQL Injection Code Help
- Index(es):
Relevant Pages
|
