classic ASP protection against SQL injection
I\'ve inherited a large amount of Classic ASP code that is currently missing SQL injection protection, and I\'m working on it. I\'ve examined in detail the solutions offered
-
I use two layers of defense:
- create a 'cleanparameter' function, and every call that gets from querystring or form values, use it calling that function. The function at the very least should replace simple quotes, and also truncate the string to a value you pass. So, for example, if the field can't be longer than 100 chars, you would call it like x = cleanparameter(request.querystring("x"), 100). That's the first line of defense
- Use parameterized queries to run SQL instructions
讨论(0) -
The best option is to use parameterized queries. On how that is done, you must check out:
- SQL Injection Mitigation: Using Parameterized Queries
In PHP also, the PDO (and prepared statements) allows developers to use parameterized queries to avoid sql injection.
Update
Yes you can specify parameters in
WHEREclause and for that you can useADODB.Commandobject like below example:' other connection code set objCommand = Server.CreateObject("ADODB.Command") ... strSql = "SELECT name, info FROM [companies] WHERE name = ?" _ & "AND info = ?;" ... objCommand.Parameters(0).value = strName objCommand.Parameters(1).value = strInfo ...For more information, see the article link that I have posted above or you may want to research a little more on the topic if you want.
讨论(0)
加载中...
- 热议问题