Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

asp2mysql preventing code injections

Posted on 2008-06-17
7
Medium Priority
?
188 Views
Last Modified: 2010-03-19
normaly when i insert users text into varchar\text field the system will
show me an error if the user typed " or '...

so, how can i let enable those + prevent from hackers to inject some queries and codes...

?
10q
0
Comment
Question by:Forrest_Gump
7 Comments
 
LVL 82

Accepted Solution

by:
hielo earned 800 total points
ID: 21806833
>>show me an error if the user typed " or '...
You need to escape the apostrophes with back-to-back apostphes.
Assuming you have:
firstname=Replace(Request("firstname"),"'","''")
lastname=Replace(Request("lastname"),"'","''")
strSQL = "INSERT INTO users(firstname,lastname) VALUES('" & firstname & "','" & lastname & "' )"

 As for the double quotes, you shoud be enclosing the values of your fields with apostrophes, NOT double quotes.
So, it should NOT be:
...values("John","Smith")

it should be
...values('John','Smith')

and the previous step about replacing the apostrophes with back-to-back apostrophes should avoid an invalid statement.
0
 

Author Comment

by:Forrest_Gump
ID: 21807121
so what you say is that i need to do Replace(Request("lastname"),"'","''")
to every one of my fields?
0
 
LVL 82

Expert Comment

by:hielo
ID: 21807139
>>...to every one of my fields?
Yes, For every field that you intend to put INTO a db.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 29

Assisted Solution

by:rdivilbiss
rdivilbiss earned 600 total points
ID: 21809276
Actually there is a much better way.  Using prepared statements will prevent most SQL injections and allow you to ignore the issue of escaping quotes.

This also means when you return data from the database you also do not need to worry about un-escaping quotes.

Take a look at the attached link:

http://www.rodsdot.com/ee/parameterized_sql_multi_parameter.asp

You'll need to tweak a little for mySQL.
0
 
LVL 12

Assisted Solution

by:R_Harrison
R_Harrison earned 600 total points
ID: 21812763
Using two single quote, as Hielo suggest will only insert 1 single quote into the database, which is as per the user inputted and in my personal experience is the best way to go.

It should also be pointed out that SQL works equally well if you use numbers, in fact it is much easier to do SQL Injection if the page is expecting numbers as you do not usually have to escape the string.  Therefore if you are using numeric values in any SQL query then always check the value is actually numeric - don't assume it is just because that is what you are expecting...

e.g
if isNumeric(yourvariable)=false then -- do not run the SQL query as it could contain injection code --

0
 
LVL 29

Assisted Solution

by:rdivilbiss
rdivilbiss earned 600 total points
ID: 21813673
User input validation often fails victim to encoding attacks.

Using prepared statement or parameterized SQL is the strongest protection at little cost.

0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 21837962
Thanks for the assist and good luck on your project.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question