checking POST vars for SQL INJECTION

C

Cogswell

I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items. After checking/escaping them i want to
save them back into the post results. The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks
 
B

Bob Barrows [MVP]

Cogswell said:
I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items.

Client-side (pre-submission)? Or server-side (post-submission)? If the
former, ask on a client-side newsgroup such as .scripting.jscript.
After checking/escaping them i want to
save them back into the post results.

This sounds as if you want to do it prior to the form's submission (using
the form's onsubmit event).
The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a function at the beginning of each page. Any ideas?

Thanks
Don't bother. Just pass the values as parameters instead of using dynamic
sql and you won't have to worry about sql injection.

The problem with validation is that:
a) Sometimes legitimate data may resemble malicious code
b) Hackers keep coming up with new ways to mask their injected sql

Without dynamic sql, injection is not possible. And no, this does not mean
all your sql has to be converted to stored procedures (although this can be
a good thing). You can use parameter markers in sql strings to avoid
concatenating your data into the strings. Of course, this techniquer
requires the use of explicit Command objects to pass the parameter values
....

Bob Barrows
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top