Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

SQL Injection Help

I am experiencing a lot of attempts at sql injection and one of the most common is putting -1%27 in as a form value or querystring.  There would never be any need in my site to return this value.  What is the best way to "trap" that value and redirect when it is used?
0
Bob Schneider
Asked:
Bob Schneider
1 Solution
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
your best best against sql injection is to use parameterized queries. There's a great article here on EE that will give you the basics on it.

Otherwise you'd have to manually scrub each bit of data in your code that goes into the database. Should you choose this route (I highly recommend against it, go with the PQ's), you could do something like this:

dim val: val = Request.Form('txtFld")  

if InStr( val, "-1%27" ) > 0 then
   '-- do a redirect, or delete the value, or whatever else
end if
0
 
Bob SchneiderAuthor Commented:
Thank you very much!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now