Previous Next

• 05-07-2008, 5:20 AM

  troy_oz Joined on 04-16-2008, 7:01 AM Posts 5 troy_oz

  ASP Classic, SQL Server Injection Validation Reply Contact Hi all, I'm a part time developer and have yesterday discovered the world of SQL Injection, when the only site I run that uses a MS SQLServer 2005 database was Injected by modifying a basic ASP Classic page eg. listing.asp?id= querystring which then was able to insert a html javascript link. Now that I've got an understadning of what has happened, I am looking for some examples of ways for validating querystrings, input boxes etc... I'm not a vbscript programming king and find if I see examples I can learn better from a live demonstration. Any help would be great

• 05-07-2008, 8:15 AM

  In reply to

  jeff@zina.com Joined on 09-26-2003, 6:43 AM Naples, FL, USA Posts 1,256 jeff@zina.com	Re: ASP Classic, SQL Server Injection Validation Reply Contact By far the best is parameterized queries, for more help start with: http://www.4guysfromrolla.com/webtech/061902-1.shtml Jeff Look for Wrox's new book Professional IIS 7 in your local bookstore, or order now at Amazon.com

• 05-07-2008, 9:59 AM

  In reply to

  troy_oz Joined on 04-16-2008, 7:01 AM Posts 5 troy_oz

  Re: ASP Classic, SQL Server Injection Validation Reply Contact Hi Jeff yeah Bill over at aspmessageboard pointed me to the same page. Hopefully it will contain everything I need. When you say parameterized queries what exactly do you mean by that? Paramaterized? Heres my samply query: (100% no validation as I have now learned!) dim thisID2 dim objRS2 thisID2 = Request.QueryString("id") dbOpen() set objRS2 = dbCOnnect.Execute("SELECT * FROM tblNews WHERE PostID = " & thisID2)

• 05-12-2008, 5:51 AM

  In reply to

  Zhao Ji Ma - MSFT Joined on 01-05-2007, 5:36 AM Posts 757 Zhao Ji Ma - MSFT	Re: ASP Classic, SQL Server Injection Validation Reply Contact  You can also use the script here. Zhao Ji Ma Sincerely, Microsoft Online Community Support “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”