asked on

URL sanitizer for SQL injection attack prevention, ASP/IIS/MS SQL

I have a large number of websites running classic ASP and MS SQL Server 2003. We had problems with SQL injection attacks several years ago. I mostly solved them by having queries such as:

qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"

qry="insert into table (column2) values (" & int(insertvalue) & )"

Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.

Surely something like this is available by now? Would really appreciate any advice.

Thank you!

ASKER CERTIFIED SOLUTION

matija_

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Brad Bansner

ASKER

Will this help if the person is using HEX, such as:

%31%20%41%4E%44%20%41%53%43%49%49%28%4C%4F%57%45%52%28%53%55%42%53%54%52%49%4E%47%28%28%53%45%4C%45%43%54%20%54%4F%50%20%31%20%6E%61%6D%65%20%46%52%4F%4D%20%73%79%73%6F%62%6A%65%63%74%73%20%57%48%45%52%45%20%78%74%79%70%65%3D%27%55%27%29%2C%20%31%2C%20%31%29%29%29%20%3E%20%31%31%36

SOLUTION