Re: SQL Injection Code Help
- From: "pblse2" <lundin.patrik@xxxxxxxxx>
- Date: 19 Jun 2006 08:58:36 -0700
jbiros wrote:
The most important characters to get rid of are the single quote and
the semi-colon. ...
Sorry, but no, the most important is using the correct method of
inserting values when querying. For some reason a lot of people think
that appending strings is the correct way, it isn't.
You should parameterize your queries just like previously suggested in
this thread, this is the whole reason it was developed in the first
place.
I really don't know where this thing with appending sql strings come
from, I suspect it is from simple examples that people read in the
early days of their careers and then they think that is the correct way
of doing it and they then start getting "creative" with more or less
stupid ways of filtering queries.
USE PARAMETERS !!! This is what they are for.
I do however agree with you that it is a good idea to verify incoming
values, if you expect a numeric value, check it, if you expect a date
check it.
.
- Follow-Ups:
- Re: SQL Injection Code Help
- From: jbiros
- Re: SQL Injection Code Help
- References:
- Re: SQL Injection Code Help
- From: Dan Guzman
- Re: SQL Injection Code Help
- From: Jody
- Re: SQL Injection Code Help
- From: pblse
- Re: SQL Injection Code Help
- From: jbiros
- Re: SQL Injection Code Help
- Prev by Date: An existing connection was forcibly closed by the remote host
- Next by Date: Re: sql2k5 security
- Previous by thread: Re: SQL Injection Code Help
- Next by thread: Re: SQL Injection Code Help
- Index(es):
