Re: SQL Injection Code Help




You shouldnt be working in this area, hire someone that knows what they are
doing instead. You can get plenty of good programmers at for example
rentacoder.com

I'm so tired of seeing people working as programmers that know absolutely
nothing about what they are doing, if you are a "newbie" you should go back
to school, not work as a programmer.

PL.


"Jody" <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
news:EF78DD97-3CC8-4786-B1C0-EDFC7BE5D994@xxxxxxxxxxxxxxxx
Sorry but I am a newbie. What do you mean by paramertize?

"Dan Guzman" wrote:

Note that you can parameterize SQL Statements even without procs.
Perhaps a
phased implementation will get you there faster.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Jody" <Jody@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1F902517-1CEF-43E4-B669-C3DE2B1F116B@xxxxxxxxxxxxxxxx
Yes I believe that would be the way to go but there is a large learning
curve
here. My thinking was as a first line of defense was to limit the
permissible characters in all the fields of each of the forms first,
then
work on stored procedures angle.

This is a very large site and I am just learning about it and best
practice,
not to mention learning to code. Therefore It feels more efficient to
put
in
snippets of code in the forms first then hire a consultant to do the
rest.
If you have some code example we could easily implement for each field
that
would be most appreciated.

Thanks - Jody

"Jody" wrote:

I have a client who needs help securing their website site from SQL
injection, which has already occurred. We have locked down the SQL
server
end of things pretty well but need to cleanup and secure the code. The
pages
are ASP pages are written in mostly HTML and Visual Basic Script.

What we need to learn how to do quickly (very newbie at this) is to
set
all
form fields to only allow the following characters so no SQL
instructions
will be accepted into any given form field

We want to only allow allow: abcdefghijklmnopqrstuvwzyz1234567890 @
. -
_

If an apostrophe is entered we want it to be converted to two
apostrophes
with a space between them so ( ' ) would then be changed to ( ' ' )
and
any
double hyphens entered ( -- ) gets a space added between them ( - - )
or
some
other safe elimination of the double SQL hyphen.

The other (2nd priority item) would be to help us hide and/or password
protect the non-public db update forms.

Here is a sample of some of the form code on one of the forms if that
helps.
IF someone is willing to show us what the code is we need to insert
to
accomplish this that would VERY appreciated.

<td align="left">*First Name Initial *Last Name<br
/><input type="text" name="bFname" id="bFname" size="21"
onKeyup="autotab(this, document.OD.bmI)" maxlength="30"
tabindex="1"><input
type="text" name="bmI" id="bmI" size="6" onKeyup="autotab(this,
document.OD.bLname)" maxlength="3" tabindex="2"><input type="text"
name="bLname" id="bLname" size="30" onKeyup="autotab(this,
document.OD.bStAddy1)" maxlength="30" tabindex="3"></td>





.



Relevant Pages

  • Re: SQL Injection Code Help
    ... Note that you can parameterize SQL Statements even without procs. ... SQL Server MVP ... form fields to only allow the following characters so no SQL instructions ... If an apostrophe is entered we want it to be converted to two apostrophes ...
    (microsoft.public.sqlserver.security)
  • Re: dbdebunk Quote of Week comment
    ... > a lot of really bad SQL programmers. ... But SQL does not have a pointer data type or the ... > being told to design a database. ... But why is little Cindy Lou Who employee ...
    (comp.databases.theory)
  • Re: dbdebunk Quote of Week comment
    ... But SQL does not have a pointer data type or the ... More and more programmers who have absolutely no database training are ... But why is little Cindy Lou Who employee ...
    (comp.databases.theory)
  • Re: sysadmin qualifications (Re: apt-get vs. aptitude)
    ... for CPU, network sockets, etc. ... Do you know how the SQL database you're using works? ... Instead of requiring to buy more hardware. ... And many of those programmers are working on ...
    (Debian-User)
  • Re: Indexes and Logical design
    ... > (i.e. SQL) world there are actually two physical models: ... > programmers are required to see, ... directly from the definition of primary keys. ... > alternate keys definitely belong in the first of my physical models above, ...
    (comp.databases.theory)