[thelist] sql injection problem

patrick pms at stoutstreet.com
Mon Sep 25 11:15:29 CDT 2006


Brian Cummiskey wrote:
> I'm testing a new app against HackerSafe and I keep failing on one page.
> 
> I CAN'T use a stored procedure...  they won't let me.  (i know, i 
> know...) so I'm doing the best I can to clean the querystrings.
> 
> I'm using the following ASP replacements before the ncat var is passed 
> into the inline query:
> 
>         ncat = replace( ncat, "'", "''" )
>         ncat = replace( ncat, """", "" )
>         ncat = replace( ncat, ")", "" )
>         ncat = replace( ncat, "(", "" )
>         ncat = replace( ncat, ";", "" )
>         ncat = replace( ncat, "-", "" )
>         ncat = replace( ncat, "|", "" )
>         ncat = replace( ncat, "<", "" )
>         ncat = replace( ncat, ">", "" )
>         ncat = replace( ncat, "script", "" )
> 
> 
> But i'm still failing.
> 
> Any advice on what I'm missing?


Not an ASP guy, but you might try finding/replacing newline character(s)

-- 

patrick sanders
http://www.stoutstreet.com
web sites that fit



More information about the thelist mailing list