Bob
Wed Jul 12 10:33:38 CDT 2006
That's my preferred technique, but it's not necessary. Both ADO and
ADO.Net allow the use of parameter markers to facilitate the passing of
parameter values into ad hoc sql strings. Here is a description of the
ADO implementation of this:
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
A TO Consultant wrote:
> Thanks Bob.
>
> When you say to use parameters to pass values instead, do you mean to
> use stored procedures and call them with the values as parameters?
>
> "Bob Barrows [MVP]" wrote:
>
>> A TO Consultant wrote:
>>> Hi All,
>>>
>>> I am working on a web application that uses both asp classic and
>>> asp.net pages. We need to validate user input to avoid attacks like
>>> sql injection. Can a component be created that both page types can
>>> use? Is that the best approach? Would I simply use pattern
>>> matching to validate strings and/or remove any unwanted characters?
>>>
>>> Thanks in advance.
>> For SQL Injection, while validation is important, it is not enough to
>> prevent it. If you truly wish to prevent SQL Injection, you will
>> avoid all use of dynamic sql*, using parameters to pass values
>> instead.
>>
>> I do not believe that validation can be made as generic as you are
>> hoping it can be: some data should not contain sql keywords, and
>> other data should.
>>
>> *I am defining dynamic sql as the act of concatenating user input
>> into sql statements which are subsequently executed.
>> --
>> Microsoft MVP -- ASP/ASP.NET
>> Please reply to the newsgroup. The email account listed in my From
>> header is my spam trap, so I don't check it very often. You will get
>> a quicker response by posting to the newsgroup.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.