[thelist] sql injection problem
Ken Schaefer
Ken at adOpenStatic.com
Mon Sep 25 20:55:21 CDT 2006
Use a parametised query, and ADO Parameter objects. There is no need for a
stored procedure, and there is no need for this type of "replacement".
Replacement is dangerous - you're altering real data and changing it to
something else. What if the data is supposed to have a " in it?
Cheers
Ken
: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Brian Cummiskey
: Sent: Monday, 25 September 2006 11:30 AM
: To: thelist at lists.evolt.org
: Subject: [thelist] sql injection problem
:
: I'm testing a new app against HackerSafe and I keep failing on one
: page.
:
: I CAN'T use a stored procedure... they won't let me. (i know, i
: know...) so I'm doing the best I can to clean the querystrings.
:
: I'm using the following ASP replacements before the ncat var is passed
: into the inline query:
:
: ncat = replace( ncat, "'", "''" )
: ncat = replace( ncat, """", "" )
: ncat = replace( ncat, ")", "" )
: ncat = replace( ncat, "(", "" )
: ncat = replace( ncat, ";", "" )
: ncat = replace( ncat, "-", "" )
: ncat = replace( ncat, "|", "" )
: ncat = replace( ncat, "<", "" )
: ncat = replace( ncat, ">", "" )
: ncat = replace( ncat, "script", "" )
:
:
: But i'm still failing.
:
: Any advice on what I'm missing?
More information about the thelist
mailing list