Results 1 to 6 of 6

Thread: sql injection

  1. #1
    Join Date
    Mar 2003
    Location
    Memphis, TN, USA
    Posts
    61

    Unanswered: sql injection

    Hi there !

    Can anyone put some more lights on SQL Injection ? Is there anyway to get rid of it ? If yes then please let me know ?

    With Thanks !
    sqlboy

  2. #2
    Join Date
    Apr 2002
    Location
    Toronto, Canada
    Posts
    20,002
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL

  3. #3
    Join Date
    Mar 2003
    Location
    Memphis, TN, USA
    Posts
    61

    Thanks Rudy !

    Thanks Rudy !

    But i allready did all those things. The article published on site point is very very good but it can't gives me a clear picture how to reduce the possibility of the same issue.

    I just want to know HOW ? I understood completely, what exactly it's. But I couldn't understand clearly how I can reduce the chance of getting infected with the same.

    Please guide me SQL Consultant.

    Thanks for your time and co-operation.

    Sqlboy

  4. #4
    Join Date
    Jul 2003
    Location
    San Antonio, TX
    Posts
    3,662
    At a minimum, you need to remove any DML calls from your front-end and replace them with calls to stored procedures (which you obviously have to write). Next, - analyze every parameter that you parse into a stored procedure call for single quote character and double it by adding another apostrophe.
    "The data in a record depends on the Key to the record, the Whole Key, and
    nothing but the Key, so help me Codd."

  5. #5
    Join Date
    Mar 2003
    Location
    Memphis, TN, USA
    Posts
    61
    Thanks rdjabarov !

    Very good explaination indeed. But I couldn't get your second point( Next onwards..) Will you please eloborate it little more.

    With Thanks !
    Sqlboy

  6. #6
    Join Date
    Jul 2003
    Location
    San Antonio, TX
    Posts
    3,662
    For example, you have a stored procedure that validates UserID and Password.

    Code:
    mSQL = "exec dbo.sp_CheckUser '" & FixString(txtUserID.Text) & "', '" & FixString(txtPWD.Text) & "'"
     
    Public Function FixString(ByVal mString As String) As String
       Dim c As String * 1, i As Long, mOut As String
       If Trim(mString) = "" Then
    	  FixString = mString
    	  Exit Function
       End If
       mOut = ""
       For i = 0 To Len(mString) - 1
    	  c = Mid(mString, i + 1, 1)
    	  If c = Chr(34) Or c = Chr(39) Then
    		 mOut = mOut & c & c
    	  Else
    		 mOut = mOut & c
    	  End If
       Next i
       FixString = mOut
    End Function
    "The data in a record depends on the Key to the record, the Whole Key, and
    nothing but the Key, so help me Codd."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •