Database Discussion - SQL Injection

Print Page | Close Window

SQL Injection

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Database Discussion
Forum Description: Discussion and chat on database related topics.
URL: https://forums.webwiz.net/forum_posts.asp?TID=21250
Printed Date: 29 March 2026 at 2:47am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: SQL Injection

Posted By: zMaestro
Subject: SQL Injection
Date Posted: 08 September 2006 at 10:28am

Hello,

What is the best way to protect my web site from SQL Injection?

I've a login area for the database, and want to know the best way i can protect t.

Thank you.

Replies:

Posted By: VBScript
Date Posted: 08 September 2006 at 7:09pm

The best things to remove are standard brackets ( and ) and square brackets [ and ].

-------------
http://www.james-r.co.uk" rel="no follow - James
http://www.gotrillian.com/?4498-20" rel="no follow - Trillian - M

Posted By: Mart
Date Posted: 08 September 2006 at 7:49pm

Removing brackets and square brackets won't do anything. The only correct way to protect against SQL injections in providers that support it is to use paramatarised queries/stored procedures.

Are you using SQL Server, Access or MySQL?

Posted By: WebWiz-Bruce
Date Posted: 09 September 2006 at 9:17am

The simplest way to solve SQL injection issues is to filter any user input that is to be used with an SQL query to remove any single quote ' characters.

There are further things you can do to protect against SQL injections but this is the simplest and most effective.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Scott07
Date Posted: 30 November 2006 at 11:17am

If you ever search the about this subject there are a million and one ideas about it (i am doing it for an undergraduate project). There is a lot of people who think using code to check is a waist of time, some people think you should use regular expressions on your input, proxi filtering and all sorts.
So far though the best rules i have found for asp are:

for all numbers used in a query use the isnumeric() function (to stop people submitting "1 OR 1=1")

for all strings remove all single quotes.

if you cant remove all single quotes because you need them you must change them to either \' or ''

if you change them to '' you must also check for \ (as this is a clever way of using the application to help you with your attack)

Dont fall into the false sence of secuiry of having proxie filtering there are easy ways round them using incorrect http request headders.

Also dont fall into the trap of using custom error pages thinking this will stop people getting data out as its still easy on a vunerable system.

Use the paramaterised queries are these are currently believe to be immune (but who knows when the crackers will find a way round).

As a limiting mechnaisum dont connect to the database as the SA account as this could resulet in the attacker executing the stored procedure that access the command line shell.

I think thats all the basic ways to avoid it, with asp its quite easy as you can do full string replaces as a build in function.

-------------
http://www.worldsofwar.co.uk - Worlds of War II

Posted By: MrMellie
Date Posted: 14 December 2006 at 9:30pm

In a mod I did for my Snitz forum, I used a combination of replacing non-alphanumric characters with their ascii code and used HTMLencode to change other "dangerous" characters to stuff SQL won't recognise. I believe this is secure, unless anyone can prove otherwise?