Re: Assistance with ASP Redirect Evertjan

From: Evertjan. (exjxw.hannivoort_at_interxnl.net)
Date: 08/13/04

• Next message: Harag: "Re: Lots of Response.Writes of HTML - How do YOU do it?"
• Previous message: Endora: "Re: Assistance with ASP Redirect Evertjan"
• In reply to: Endora: "Re: Assistance with ASP Redirect Evertjan"
• Messages sorted by: [ date ] [ thread ]

Date: 13 Aug 2004 17:04:17 GMT

Endora wrote on 13 aug 2004 in microsoft.public.inetserver.asp.general:
> sSQL = "SELECT URL FROM mytable WHERE CD='" &
> Request.QueryString("CD") & "'"

It is very dangerous to put a clientside string like
Request.QueryString("CD")
directly in the SQL.

Hackers can easily construct a string for http://mysite,com/db.asp?CD=...
that alters or deletes part of your database!

So again always validate the querystring first.

See: What is SQL Injection?
<http://www.4guysfromrolla.com/webtech/061902-1.shtml> and more

-- 
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

• Next message: Harag: "Re: Lots of Response.Writes of HTML - How do YOU do it?"
• Previous message: Endora: "Re: Assistance with ASP Redirect Evertjan"
• In reply to: Endora: "Re: Assistance with ASP Redirect Evertjan"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint