We have inline SQL in classic ASP. We were running fine for the past 5 years, but we got hit with an injection attack on friday. Before we convert them to stored procedures, somebody help me with options available for damage control.
Below is the script that is getting injected into almost all of the fields in the database:
It is always added in the end of the data value. Can closing the sql string prevent this? For example
strsql = "insert into user values('" & username & '")" & ""
Can I do an automated text generator and ask the user to input the value to prevent this for time being?
I am in a blindspot here and any help is appreciated. I am willing to give away points as well.
Thanks a lot!!