Protection for SQL Injection
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=24362
Printed Date: 28 March 2026 at 7:50pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Protection for SQL Injection
Posted By: zMaestro
Subject: Protection for SQL Injection
Date Posted: 07 September 2007 at 12:12pm
|
Hi,
Is this code enough to protect from SQL Injection?
|
<%
Replies:
Posted By: Scotty32
Date Posted: 07 September 2007 at 12:31pm
|
could you not just remove it? or replace it with the html equivalent like WWF does?
------------- S2H.co.uk - http://www.s2h.co.uk/wwf/" rel="nofollow - WebWiz Mods and Skins For support on my mods + skins, please use http://www.s2h.co.uk/forum/" rel="nofollow - my forum . |
Posted By: WebWiz-Bruce
Date Posted: 07 September 2007 at 12:32pm
|
There are lots of ways to do SQL injections and all depends on which database you are using?
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: CMDevelopment
Date Posted: 08 September 2008 at 4:51pm
|
We use a custom designed script that will search for any SQL within anything that is being saved to the database. the quickest way to look for this is to use the Ireplace function and search for any SQL and replace it with #Drop# or #Select# that way you can prevent any commands being excuted on your server. Below is a quick snippet of my script: Function SQLPROTECT(inputstr) '(C) CM Development Ltd. 2008 'The Purpose of this script is to check any of the data passed by forms and other information in the system to ensure that it is 'indeed "SQL SAFE". It will check for standard Javascript And VB Script Code and Also SQL Syntax will be removed from the string aswell. 'It then returns a nice safe alternative so that the SQL Database and Website as a whole is safe. 'This added to an ISAPI Filter will block most attacks from hackers Dim wStr, redir Wstr = inputstr 'Java And VB Replaces Wstr = Replace(Wstr, "script", "##scr##") Wstr = Replace(Wstr, "Script", "##Scr##") Wstr = Replace(Wstr, "SCRIPT", "##SCR##") 'Standard Replaces and so you can see that if you can be bothered to go through all the different possible attacks and the coding behind each one, you may be able to stop them before they get in. As Bruce also says, with most databases you can secure them from the server end, and also with IIS 7 you can setup ISAPI filters to stop most attacks as added security. ------------- CM Development |