Brad Bansner
asked on
URL sanitizer for SQL injection attack prevention, ASP/IIS/MS SQL
I have a large number of websites running classic ASP and MS SQL Server 2003. We had problems with SQL injection attacks several years ago. I mostly solved them by having queries such as:
qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"
qry="insert into table (column2) values (" & int(insertvalue) & )"
Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.
Surely something like this is available by now? Would really appreciate any advice.
Thank you!
qry="insert into table (column1) values ('" & replace(insertvalue, "'", "''") & "')"
qry="insert into table (column2) values (" & int(insertvalue) & )"
Now, I know there are ways around this if the querystring is encoded instead of plain text, which would block the single quotes and generate an error for numbers. Are there recommended products which will work with IIS and ASP to do a more comprehensive job of this? I would accept a solution that costs money or is licensed. I just want something easy to configure so I don't have to spend a ton of time setting up permission/denial lists.
Surely something like this is available by now? Would really appreciate any advice.
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
P.S. There is no such animal as SQL Server 2003. It is either 2000, 2005, 2008 or 2008-R2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please encode your querystring before send request to browser or save it to SQL Table.
ASKER
Hello, can you briefly explain how putting these queries into a Stored Procedure would avoid these problems? Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
%31%20%41%4E%44%20%41%53%4