M
Michael Kujawa
Hi All,
I have been given a site to redo. In the process of looking at the code,
the live site is open to SQL injection. I know what needs to be done but
limited time right now to redo correctly. In the interm while I am rewriting
the site, will adding a few lines of code as below prevent SQL injection
until I have the time to rebuild the functions and move to stored
procedures.
Basically client side I added a onKeypress javascript routine
to look for ' or " and disallow in login fields
<script>
function checkcode()
{
if(event.keyCode==34 || event.keyCode==39){event.returnValue = false;}
}
</script>
ServerSide I then added an if else statement to trap if user has javascript
disabled
<%
if request.form("submit")="Login" then
if len(rtrim(request("UserID")))>0 and len(rtrim(request("Password")))>0
then
' line added to trap single - dbl quote
if (instr(rtrim(request("UserID")),"'")=0 or
instr(rtrim(request("password")),"'")=0) and
(instr(rtrim(request("UserID")),"""")=0 or
instr(rtrim(request("password")),"""")=0) then
rs.open "select * from FTSUsers where UserID='" &
rtrim(request("UserID")) & "' and password='" & rtrim(request("password")) &
"'", connstrx, 3, 4
' more syntax below not relative to question
%>
will this be sufficient for the time being in preventing SQL Injection
until I have time to create new syntax and store procedures
I have been given a site to redo. In the process of looking at the code,
the live site is open to SQL injection. I know what needs to be done but
limited time right now to redo correctly. In the interm while I am rewriting
the site, will adding a few lines of code as below prevent SQL injection
until I have the time to rebuild the functions and move to stored
procedures.
Basically client side I added a onKeypress javascript routine
to look for ' or " and disallow in login fields
<script>
function checkcode()
{
if(event.keyCode==34 || event.keyCode==39){event.returnValue = false;}
}
</script>
ServerSide I then added an if else statement to trap if user has javascript
disabled
<%
if request.form("submit")="Login" then
if len(rtrim(request("UserID")))>0 and len(rtrim(request("Password")))>0
then
' line added to trap single - dbl quote
if (instr(rtrim(request("UserID")),"'")=0 or
instr(rtrim(request("password")),"'")=0) and
(instr(rtrim(request("UserID")),"""")=0 or
instr(rtrim(request("password")),"""")=0) then
rs.open "select * from FTSUsers where UserID='" &
rtrim(request("UserID")) & "' and password='" & rtrim(request("password")) &
"'", connstrx, 3, 4
' more syntax below not relative to question
%>
will this be sufficient for the time being in preventing SQL Injection
until I have time to create new syntax and store procedures