URL sanitizer for SQL injection attack prevention, ASP/IIS/MS SQL
Posted on 2011-04-18
I have a large number of websites running classic ASP and MS SQL Server 2003. We had problems with SQL injection attacks several years ago. I mostly solved them by having queries such as:
qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"
qry="insert into table (column2) values (" & int(insertvalue) & )"
Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.
Surely something like this is available by now? Would really appreciate any advice.