Syntax to check on input boxes.

D

david hepworth

Hi
I am in the process of writing a website which has an access database
and uses asp to access it. Part of the site is a search facility. I
have heard that it is possible for hackers to gain access to the
database by entering SQL in to the search box. First of all is this
possible? Secondly if it is possible, what sort of syntax should i be
checking for on the text entered in to the search field?

Any help would be greatly appreciated.

Cheers
 
B

Bob Barrows [MVP]

david said:
Hi
I am in the process of writing a website which has an access database
and uses asp to access it. Part of the site is a search facility. I
have heard that it is possible for hackers to gain access to the
database by entering SQL in to the search box. First of all is this
possible?
Certainly:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Secondly if it is possible, what sort of syntax should i be
checking for on the text entered in to the search field?

You shouldn't. You will never stay ahead of the hackers.

SQL Injection depends on the use of concatenation to generate sql statements
(dynamic sql). You should use parameters instead of dynamic sql. Either via
saved parameter queries:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

or by using a Command object to pass parameters to a sql string containing
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Bob Barrows
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
474,336
Messages
2,571,767
Members
48,560
Latest member
FaustoBisd

Latest Threads

Top