• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 191
  • Last Modified:

asp2mysql preventing code injections

normaly when i insert users text into varchar\text field the system will
show me an error if the user typed " or '...

so, how can i let enable those + prevent from hackers to inject some queries and codes...

?
10q
0
Forrest_Gump
Asked:
Forrest_Gump
4 Solutions
 
hieloCommented:
>>show me an error if the user typed " or '...
You need to escape the apostrophes with back-to-back apostphes.
Assuming you have:
firstname=Replace(Request("firstname"),"'","''")
lastname=Replace(Request("lastname"),"'","''")
strSQL = "INSERT INTO users(firstname,lastname) VALUES('" & firstname & "','" & lastname & "' )"

 As for the double quotes, you shoud be enclosing the values of your fields with apostrophes, NOT double quotes.
So, it should NOT be:
...values("John","Smith")

it should be
...values('John','Smith')

and the previous step about replacing the apostrophes with back-to-back apostrophes should avoid an invalid statement.
0
 
Forrest_GumpAuthor Commented:
so what you say is that i need to do Replace(Request("lastname"),"'","''")
to every one of my fields?
0
 
hieloCommented:
>>...to every one of my fields?
Yes, For every field that you intend to put INTO a db.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
rdivilbissCommented:
Actually there is a much better way.  Using prepared statements will prevent most SQL injections and allow you to ignore the issue of escaping quotes.

This also means when you return data from the database you also do not need to worry about un-escaping quotes.

Take a look at the attached link:

http://www.rodsdot.com/ee/parameterized_sql_multi_parameter.asp

You'll need to tweak a little for mySQL.
0
 
R_HarrisonCommented:
Using two single quote, as Hielo suggest will only insert 1 single quote into the database, which is as per the user inputted and in my personal experience is the best way to go.

It should also be pointed out that SQL works equally well if you use numbers, in fact it is much easier to do SQL Injection if the page is expecting numbers as you do not usually have to escape the string.  Therefore if you are using numeric values in any SQL query then always check the value is actually numeric - don't assume it is just because that is what you are expecting...

e.g
if isNumeric(yourvariable)=false then -- do not run the SQL query as it could contain injection code --

0
 
rdivilbissCommented:
User input validation often fails victim to encoding attacks.

Using prepared statement or parameterized SQL is the strongest protection at little cost.

0
 
rdivilbissCommented:
Thanks for the assist and good luck on your project.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now