Re: Form login

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Bob Barrows [MVP]" <reb01501@xxxxxxxxxxxxxxx>
Date: Sat, 24 Nov 2007 16:50:24 -0500

Brynn wrote:

Aren't you only leaving yourself open for sql injection if you don't
make sure that certain characters aren't in the string before you
allow them into your sql string. Like making sure that they are number
and letters only first with scripts.

No. That's a start, but clever hackers can find ways to defeat
security-by-validation-only. Go back and look at the links I posted. They
show a couple ways, but there are more.

The only way to be sure of preventing SQL Injection is to not use
concatenation to build query strings. Use parameters. Not only are they more
secure, they are also easier to use (you don't have to worry about
delimiters, for starters). Definitely a win-win solution, in my mind.

Don't neglect server-side validation of user inputs just because you are
using parameters. You want to be able to detect hack attempts at an early
stage...

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

.

Follow-Ups:
- Re: Form login
  - From: Brynn

References:
- Form login
  - From: Paulo
- Re: Form login
  - From: Bob Barrows [MVP]
- Re: Form login
  - From: Brynn

Prev by Date: Re: INSERT INTO doesn't wait for table creation...
Next by Date: Save from db to file
Previous by thread: Re: Form login
Next by thread: Re: Form login
Index(es):
- Date
- Thread

Relevant Pages

Re: Protecting my app from get?
... > string in the URL to provide the page with appropriate data. ... the best protection against sql injection ... old posts about using saved parameter queries and stored ... This email account is my spam trap so I ...
(microsoft.public.inetserver.asp.db)
Re: Regular Expression help C#
... I have a method that basically parses any string sent to it to ensure ... I have my pattern started, but I cannot seem to figure how to only ... you should never have to worry about SQL injection. ... the problem is, that there are more keywords that you could ever take into account, especially if you take database independency into account. ...
(microsoft.public.dotnet.general)
Re: Another form of SQL injection
... It allows query parameters to be binded and ... $name = "tom' UNION blah blah blah" ... another form of SQL injection might in the form of... ... is as a string ... ...
(comp.lang.php)
Re: Speeding up in-line queries
... Astra wrote: ... difference in a loop that's building a huge string. ... The real problem is the possibility of SQL Injection: ... This email account is my spam trap so I ...
(microsoft.public.inetserver.asp.db)
Re: Syntax error on concatenated SQL string.
... I found the missing bracket. ... string for any suspicious characters or HTML or encoding or slashes. ... injection attempts that SQL injection was a serious deal! ... And on the off chance you change the connection collation, you'll want mysql_real_escape_stringto be using the correct collation. ...
(comp.lang.php)