[thelist] SQL Update CORRECTION
Joshua Olson
joshua at waetech.com
Fri Jul 16 09:46:04 CDT 2004
> -----Original Message-----
> From: Jason Robbins
> Sent: Friday, July 16, 2004 10:08 AM
>
> Been taking in what you guys have said with great interest.
>
> Question - If I went through each string before using it as a parameter
> to search for quotes and either refussed to run the sql statement or
> deleted the quotes first - would that solve the majority of sql
> injection attacks?
Perhaps, but that's probably the hard way to do things...
Simply double up single quotes in the inputs. Example, cat's becomes
cat''s.
For fields looking for numbers, simply convert the value passed to a number.
If the value passed is not a numeric, change it to 0.
That should protect you in most cases.
I do two other things, usually... I convert characters that are not in the
databases character set to HTML entities, and I convert empty strings to the
string "NULL". The method I use actually wraps the single quotes on the
ends as well. When it's NULL I omit the single quotes so that the field has
an actual NULL value, not the empty string. This works well in CF because
selects of NULL from a table are equal to the empty string in the script.
<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com/service_areas/
706.210.0168
More information about the thelist
mailing list