We help IT Professionals succeed at work.
Get Started
SQL Injection Hack for ASP/MS-SQL when submitting a URL
I am working on a site that was just given to me and is pretty much done. There is already a function to replace sql injection characters/words into a safe format (such that something like 'select' is replaced with 'selects').
However, there is one place there is a problem, and it is when the user is inserting a URL. So, for instance, the user enters a url with a ; (semi-colon) in it. Obviously, I don't want that added, however, if I replace it with any other character, the URL will no longer be good. I was thinking of using URl encoding so that 'http://test.com?id=123;32' equals 'http://test.com?id=123%3B32', however, when trying to reach the URL with that address it does not work with sites like youtube when I replace the "&" with the "%26".
I do not mind removing keywords such as delete, update, select, insert - however, I will need access to allow users to enter in data such as ; or -- which a lot of URL's these days have (such as yahoo news and youtube).
Do any of you experts out there now the best solution to make sure the URL is posted correctly without me exposing myself to a potential hack? This is dynamic SQL and I will not have been told by the owner that I do not have the ability to create a stored procedure.
Thanks
However, there is one place there is a problem, and it is when the user is inserting a URL. So, for instance, the user enters a url with a ; (semi-colon) in it. Obviously, I don't want that added, however, if I replace it with any other character, the URL will no longer be good. I was thinking of using URl encoding so that 'http://test.com?id=123;32' equals 'http://test.com?id=123%3B32', however, when trying to reach the URL with that address it does not work with sites like youtube when I replace the "&" with the "%26".
I do not mind removing keywords such as delete, update, select, insert - however, I will need access to allow users to enter in data such as ; or -- which a lot of URL's these days have (such as yahoo news and youtube).
Do any of you experts out there now the best solution to make sure the URL is posted correctly without me exposing myself to a potential hack? This is dynamic SQL and I will not have been told by the owner that I do not have the ability to create a stored procedure.
Thanks
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE