Syntax to check on input boxes.

[david hepworth]

Hi
I am in the process of writing a website which has an access database
and uses asp to access it. Part of the site is a search facility. I
have heard that it is possible for hackers to gain access to the
database by entering SQL in to the search box. First of all is this
possible? Secondly if it is possible, what sort of syntax should i be
checking for on the text entered in to the search field?

Any help would be greatly appreciated.

Cheers

 

[Bob Barrows [MVP]]

Hi
I am in the process of writing a website which has an access database
and uses asp to access it. Part of the site is a search facility. I
have heard that it is possible for hackers to gain access to the
database by entering SQL in to the search box. First of all is this
possible?
Certainly:
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Secondly if it is possible, what sort of syntax should i be
checking for on the text entered in to the search field?

You shouldn't. You will never stay ahead of the hackers.

SQL Injection depends on the use of concatenation to generate sql statements
(dynamic sql). You should use parameters instead of dynamic sql. Either via
saved parameter queries:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

or by using a Command object to pass parameters to a sql string containing
parameter markers:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Bob Barrows