[thelist] sql injection problem
patrick
pms at stoutstreet.com
Mon Sep 25 11:15:29 CDT 2006
Brian Cummiskey wrote:
> I'm testing a new app against HackerSafe and I keep failing on one page.
>
> I CAN'T use a stored procedure... they won't let me. (i know, i
> know...) so I'm doing the best I can to clean the querystrings.
>
> I'm using the following ASP replacements before the ncat var is passed
> into the inline query:
>
> ncat = replace( ncat, "'", "''" )
> ncat = replace( ncat, """", "" )
> ncat = replace( ncat, ")", "" )
> ncat = replace( ncat, "(", "" )
> ncat = replace( ncat, ";", "" )
> ncat = replace( ncat, "-", "" )
> ncat = replace( ncat, "|", "" )
> ncat = replace( ncat, "<", "" )
> ncat = replace( ncat, ">", "" )
> ncat = replace( ncat, "script", "" )
>
>
> But i'm still failing.
>
> Any advice on what I'm missing?
Not an ASP guy, but you might try finding/replacing newline character(s)
--
patrick sanders
http://www.stoutstreet.com
web sites that fit
More information about the thelist
mailing list