[thelist] sql injection problem
Brian Cummiskey
brian at hondaswap.com
Sun Sep 24 20:30:24 CDT 2006
I'm testing a new app against HackerSafe and I keep failing on one page.
I CAN'T use a stored procedure... they won't let me. (i know, i
know...) so I'm doing the best I can to clean the querystrings.
I'm using the following ASP replacements before the ncat var is passed
into the inline query:
ncat = replace( ncat, "'", "''" )
ncat = replace( ncat, """", "" )
ncat = replace( ncat, ")", "" )
ncat = replace( ncat, "(", "" )
ncat = replace( ncat, ";", "" )
ncat = replace( ncat, "-", "" )
ncat = replace( ncat, "|", "" )
ncat = replace( ncat, "<", "" )
ncat = replace( ncat, ">", "" )
ncat = replace( ncat, "script", "" )
But i'm still failing.
Any advice on what I'm missing?
More information about the thelist
mailing list