Re: SQL Injection Code Help
- From: "pblse" <pblse2@xxxxxxxx>
- Date: Sat, 17 Jun 2006 18:06:18 +0200
You shouldnt be working in this area, hire someone that knows what they are
doing instead. You can get plenty of good programmers at for example
I'm so tired of seeing people working as programmers that know absolutely
nothing about what they are doing, if you are a "newbie" you should go back
to school, not work as a programmer.
"Jody" <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
Sorry but I am a newbie. What do you mean by paramertize?
"Dan Guzman" wrote:
Note that you can parameterize SQL Statements even without procs.
phased implementation will get you there faster.
Hope this helps.
SQL Server MVP
"Jody" <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Yes I believe that would be the way to go but there is a large learning
here. My thinking was as a first line of defense was to limit the
permissible characters in all the fields of each of the forms first,
work on stored procedures angle.
This is a very large site and I am just learning about it and best
not to mention learning to code. Therefore It feels more efficient to
snippets of code in the forms first then hire a consultant to do the
If you have some code example we could easily implement for each field
would be most appreciated.
Thanks - Jody
I have a client who needs help securing their website site from SQL
injection, which has already occurred. We have locked down the SQL
end of things pretty well but need to cleanup and secure the code. The
are ASP pages are written in mostly HTML and Visual Basic Script.
What we need to learn how to do quickly (very newbie at this) is to
form fields to only allow the following characters so no SQL
will be accepted into any given form field
We want to only allow allow: abcdefghijklmnopqrstuvwzyz1234567890 @
If an apostrophe is entered we want it to be converted to two
with a space between them so ( ' ) would then be changed to ( ' ' )
double hyphens entered ( -- ) gets a space added between them ( - - )
other safe elimination of the double SQL hyphen.
The other (2nd priority item) would be to help us hide and/or password
protect the non-public db update forms.
Here is a sample of some of the form code on one of the forms if that
IF someone is willing to show us what the code is we need to insert
accomplish this that would VERY appreciated.
<td align="left">*First Name Initial *Last Name<br
/><input type="text" name="bFname" id="bFname" size="21"
onKeyup="autotab(this, document.OD.bmI)" maxlength="30"
type="text" name="bmI" id="bmI" size="6" onKeyup="autotab(this,
document.OD.bLname)" maxlength="3" tabindex="2"><input type="text"
name="bLname" id="bLname" size="30" onKeyup="autotab(this,
document.OD.bStAddy1)" maxlength="30" tabindex="3"></td>
- Re: SQL Injection Code Help
- From: jbiros
- Re: SQL Injection Code Help
- Prev by Date: Log queries made through SQL manager only ?
- Next by Date: Re: Log queries made through SQL manager only ?
- Previous by thread: Re: SQL Injection Code Help
- Next by thread: Re: SQL Injection Code Help