ASP and SQL Injection prevention

[Simon Wigzell]

Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?

Thanks!

 

[Bob Barrows [MVP]]

Is it possible to "intercept" all calls to conn.execute and have them
go to a checking routine that will either let the command go through
or terminate it if it contains some illegal instructions? My clients
company has had its hacker free status revoked due to the possibility
of sql injection. I could put a function before every single
conn.execute but we have hundreds of them. Just wondering if there is
some way of telling it to do something else first. Maybe I can
redefine conn.execute somehow?
Thanks!

The best way to prevent sql injection is to use parameters instead of
concatenation. See
Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

http://groups.google.com/groups?hl=...=1&[email protected]



Select statement:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd

Using Command object to parameterize CommandText:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e


SQL Server:

http://tinyurl.com/jyy0