Results 1 to 4 of 4
  1. #1
    Join Date
    May 2006
    Location
    New York
    Posts
    15

    Unanswered: ADO & SQL injection

    Since search criteria for my website comes from the user, is there a (Classic) ADO method that tests for SQL injections?

  2. #2
    Join Date
    Jun 2004
    Location
    Arizona, USA
    Posts
    1,848
    Quote Originally Posted by blmgyossi
    Since search criteria for my website comes from the user, is there a (Classic) ADO method that tests for SQL injections?
    Since there's really no difference in the techniques used to test a database for security vulnerabilities and exploiting a database using security vulnerabilities, a public discussion of this topic is discouraged here.
    Lou
    使大吃一惊
    "Lisa, in this house, we obey the laws of thermodynamics!" - Homer Simpson
    "I have my standards. They may be low, but I have them!" - Bette Middler
    "It's a book about a Spanish guy named Manual. You should read it." - Dilbert


  3. #3
    Join Date
    May 2006
    Location
    New York
    Posts
    15
    What I meant by method was, an ADO object method (function or sub).

  4. #4
    Join Date
    Aug 2005
    Location
    D/FW, Texas, USA
    Posts
    78
    no not directly. you have to do it as a developer. One way to help prevent SQL Injections is to use parameters instead of creating your SQL string on the fly.

    Other than that some common things to do is replace a single quote with double quote, filter out things like '--' which is a comment in SQL Server, and ignore things like 'xp_' or 'sp_' which can be used to call system stored procedures.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •