checking POST vars for SQL INJECTION

Discussion in 'ASP General' started by Cogswell, Feb 3, 2005.

  1. Cogswell

    Cogswell Guest

    I am working on an ecommerce app and want to be able to take my entire
    POST results as one item (or iterate through them) and check for any
    malicious SQL INJECTION items. After checking/escaping them i want to
    save them back into the post results. The reason for this is because I
    have coded the entire app and just learned about the dangers of SQL
    Injection and rather than going through every post var and fix it I
    would rather run a function at the beginning of each page. Any ideas?

    Thanks
    Cogswell, Feb 3, 2005
    #1
    1. Advertising

  2. Cogswell wrote:
    > I am working on an ecommerce app and want to be able to take my entire
    > POST results as one item (or iterate through them) and check for any
    > malicious SQL INJECTION items.


    Client-side (pre-submission)? Or server-side (post-submission)? If the
    former, ask on a client-side newsgroup such as .scripting.jscript.

    > After checking/escaping them i want to
    > save them back into the post results.


    This sounds as if you want to do it prior to the form's submission (using
    the form's onsubmit event).

    > The reason for this is because I
    > have coded the entire app and just learned about the dangers of SQL
    > Injection and rather than going through every post var and fix it I
    > would rather run a function at the beginning of each page. Any ideas?
    >
    > Thanks

    Don't bother. Just pass the values as parameters instead of using dynamic
    sql and you won't have to worry about sql injection.

    The problem with validation is that:
    a) Sometimes legitimate data may resemble malicious code
    b) Hackers keep coming up with new ways to mask their injected sql

    Without dynamic sql, injection is not possible. And no, this does not mean
    all your sql has to be converted to stored procedures (although this can be
    a good thing). You can use parameter markers in sql strings to avoid
    concatenating your data into the strings. Of course, this techniquer
    requires the use of explicit Command objects to pass the parameter values
    ....

    Bob Barrows
    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Feb 3, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    396
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,614
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. Jon

    app vars and cache vars

    Jon, Dec 14, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    379
  4. Linuxguy123
    Replies:
    7
    Views:
    665
    Paddy O'Loughlin
    Feb 20, 2009
  5. caccolangrifata
    Replies:
    18
    Views:
    383
    Chris Torek
    Jul 22, 2011
Loading...

Share This Page