SQL Injection - Stored Procedures

[Bã§TãRÐ]

Doeant really matter what the code is, The Execute command will just delete the stored procedure.

~Bastard

 

[Dave Anderson]

For avarage joe user this is a monumental effort. Multiply that by
500,000 times and you have a workd of hurt on your end. Aslo think
of the amout of people you'd have to hire (as a company) to deal
with lost password functionality and other related issues.

This makes no sense. If Joe Average can't remember a password with special
characters HE IS NOT GOING TO USE ONE. Your "solution" is to take away from
ME the ability to use them, meaning (a) Joe Average's limitations are forced
upon me, and consequently (b) MY account security is weakened by this
limited password alphabet.

And you have yet to explain how special characters make a shred of
difference for lost passwords. Don't give me the "user can't remember
passwords unless alphanumeric" argument because we already know that user
will never create such a password.

More to the point, you advocated restricting " and '. Is there something
that makes those two characters harder to remember or type than @ or *? No.
What is different about them is they are icky to deal with. Get over it.
Replace ' with '' or use ADODB.Command parameters to pass to SQL Server. Use
Server.HTMLEncode when displaying to the client[1] (this encodes ", among
others).

Now while I appreciate all the comments on this thread, We're a bit
off track - SQL Injection of Stored Procedures!!!!

And my above suggestions allow you to head off injection without restricting
the use of any characters.



[1] I think sending back a password is a horrible idea. This advice applies
to all free-form text fields.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[Bob Lehmann]

How about that top posting? (O:=
I love it. :>)

Are you having to scroll horizontally?

Just the opposite. I'm at 1600x1200. Although I don't have my newsreader
maximised, it's large enough that reading his posts is like trying to read a
newspaper article spread across 2 pages.

Bob Lehmann

 

[Roland Hall]

:> How about that top posting? (O:=
: I love it. :>)

Well, as long as you're happy.

: >Are you having to scroll horizontally?
: Just the opposite. I'm at 1600x1200. Although I don't have my newsreader
: maximised, it's large enough that reading his posts is like trying to read
a
: newspaper article spread across 2 pages.

At that resolution you might be able to decrease your font and get it all on
a single line. Better yet, double your font size, grab your wireless
keyboard and mouse and sit across the room so you're far enough to read it.

So, if he were to set his line length to 72 characters, wouldn't the rest of
your monitor get lonely with all that whitespace?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Dave Anderson]

At that resolution you might be able to decrease your font and get it
all on a single line. Better yet, double your font size, grab your
wireless keyboard and mouse and sit across the room so you're far
enough to read it.

Heh. I was using the [Web Developer] Firefox extension a couple of days ago
to tweak styles on one of the pages I was viewing. In particular, I was
changing the font-size attribute for SELECT elements, and I noticed that
Firefox resizes as-you-type, so each keystroke changes the rendering of the
document. In short, I discovered that Firefox really will render fonts all
the way down to 1pt. The effect on the select element is stunning, since
*everything* shrinks with it (scrollbar, etc.).



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

 

[Roland Hall]

in message
: Roland Hall wrote:
: > At that resolution you might be able to decrease your font and get it
: > all on a single line. Better yet, double your font size, grab your
: > wireless keyboard and mouse and sit across the room so you're far
: > enough to read it.
:
: Heh. I was using the [Web Developer] Firefox extension a couple of days
ago
: to tweak styles on one of the pages I was viewing. In particular, I was
: changing the font-size attribute for SELECT elements, and I noticed that
: Firefox resizes as-you-type, so each keystroke changes the rendering of
the
: document. In short, I discovered that Firefox really will render fonts all
: the way down to 1pt. The effect on the select element is stunning, since
: *everything* shrinks with it (scrollbar, etc.).

That sounds interesting. I'll have to check that out. It may be a cheaper
alternative to drinking.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp