Is there any predefined method such as "Parametiri zed Inputs" as in case of ASP.NET which automatically prevents SQL Injection.????? ??
-
-
You can go thru the below link.I hope it will help you.
http://aspspider.info/magicalspell4u/?Quest=SQLInjec tion
-Thanks
52 -
@alijannaty52Originally posted by alijannaty52
Thanks for the information ........now i am developing a web application in ASP(only VB Script) and not in ASP.NET ...so is there any predefined code in ASP that prevents the SQL Injection ?
Your were very helpful thanks once againComment
-
There is not a predefined code in ASP, in fact there are very few pre-made pre-packaged functions at all.Originally posted by srikugun
The general approach is to remove all of the special characters that sql might recognize as part of a command, for example, use a series of "replace" commands to change quote marks, equals signs, etc. I would also recommend that you open the database with a recordset using a SQL query rather than executing a SQL command (cmd.execute) I'm not 100% positive that it is impossible, but it is definitely very difficult to inject if you are using recordsets.
JaredComment
-
I'd recommend using Stored Procedures.
SQL insertion attack depends on SQL query creation being done in your application. These Queries are sent to the Database. The database then compiles the Query into a command and executes it. If the user enters SQL commands instead of the intended data and then your program creates an SQL query based on the user's input...then their commands are compiled in with your commands.
Stored Procedures are precompiled.
This means that their commands cannot be compiled along with your commands.
(They also use less resources...bec ause the database management system doesn't need to compile the queries into commands for each request).
You should always do heavy data validation and still follow Jared's advice to reduce any SQL insertion attacks from being executed upon retrieving the data from the database.
-FrinnyComment
-
Use this:
[code=asp]
Function Clean(sValuePri vate)
Set oRegExp = New RegExp
oRegExp.Pattern = "[^0-9a-zA-Z@.-_ ]"
oRegExp.IgnoreC ase = True
oRegExp.Global = True
Clean = Trim(oRegExp.Re place(sValuePri vate, ""))
Set oRegExp = Nothing
End Function
[/code]
This will strip all non-alphanumerical characters except for . @ and ^
Run this function past your content before insertion into your database/SQL statement.
[Code=asp]
Clean( Request.Form("M yField") )
[/code]
Sincerely,
MarkComment
Comment