|
| |
|
|
Mav44
Posts: 197
Joined: 6/25/2006
Status: offline
 |
Protecting from SQL Injection - Rookie Needs Help - 10/19/2009 19:40:08
I have one site that is getting hit with sql injection at least once a day if not twice. I have been doing a lot of reading and I know I need to set limits on my fields but I have questions.
1. Should I set my fields to integers, will that block code like <> or should I limit the number of characters because most of the injection have seen is over 30 characters long? Do I only need to do this on text fields?
2. Should I add something to my connection string to block attempts?
I normally use something like
Set myconn = Server.CreateObject("ADODB.Connection")
MdbFilePath = "PROVIDER=SQLOLEDB;DATA SOURCE=xxxx-xxx.secureserver.net;UID=InCorona1;PWD=xxxxxxxx;DATABASE=mydatabase"
MyConn.Open = "PROVIDER=SQLOLEDB;DATA SOURCE=xxxx-xxxx.secureserver.net;UID=InCorona1;PWD=xxxxxxxx;DATABASE=mydatabse"
Once again I appreciate any suggestions. I can strip out the injection pretty fast but it is a pain in the a&* and I want to make this site and future sites better protected.
|
|
|
|
Mav44
Posts: 197
Joined: 6/25/2006
Status: offline
|
RE: Protecting from SQL Injection - Rookie Needs Help - 10/20/2009 10:16:45
Thanks TWD,
Reading your info it looks like you are protecting against injection when calling up the data.
<% field_name = TWD_StripHTML(request.form("field_name")) %>
I thought that the way I was getting the SQL injection was by someone taking advantage of my forms input or my connection string. I would need to add some type of qualifier to to input below.
<textarea rows="3" name="comments" cols="35" style="background-color: #FFFF99"></textarea>
would become
<span id="sprytextarea1">
<textarea rows="3" name="comments" cols="35" style="background-color: #FFFF99"></textarea>
<span class="textareaRequiredMsg">A value is required.</span><span class="textareaMaxCharsMsg">Exceeded maximum number of characters.</span></span>
| |
|
|
|
Mav44
Posts: 197
Joined: 6/25/2006
Status: offline
|
RE: Protecting from SQL Injection - Rookie Needs Help - 10/20/2009 13:27:36
So if I have this right, I would change my form input to
<textarea rows="3" name=TWD_StripHTML(request.form("comments")) cols="35" style="background-color: #FFFF99"></textarea>
| |
|
|
|
Mav44
Posts: 197
Joined: 6/25/2006
Status: offline
|
RE: Protecting from SQL Injection - Rookie Needs Help - 10/26/2009 12:12:17
Is this similiar to using spry portection? I know you can get around this by diabling javascript but wouldn't it stop most people from ever even entering the script?
Like
<span id="sprytextfield1">
<input type="text" name="Company" size="30" style="background-color: #FFFF99" maxlength="30">
<span class="textfieldRequiredMsg">A value is required.</span>
<span class="textfieldInvalidFormatMsg">Invalid format.</span>
</span>
<script type="text/javascript">
<!--
var sprytextfield1 = new Spry.Widget.ValidationTextField("sprytextfield1", "custom", {characterMasking:/[\da-zA-Z.!?-\s]/, useCharacterMasking:true});
//-->
</script>
| |
|
|
|
hzarabet
Posts: 1549
From: New Milford CT USA
Status: offline
|
RE: Protecting from SQL Injection - Rookie Needs Help - 10/27/2009 8:46:32
Additionally you can set up 2 SQL connection strings. Use a READ ONLY string for SELECT statements and a READWRITE string for others. As the bulk of my statements are SELECT that closes up a lot of holes.
_____________________________
http://www.SigningsHotline.com lists EVERY upcoming athlete autograph appearance in the US and Canada
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
