We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

ASP Classic, SQL Server Injection Validation [Answered]RSS

3 replies

Last post May 12, 2008 05:51 AM by Zhao Ji Ma - MSFT

  • ASP Classic, SQL Server Injection Validation

    May 07, 2008 05:20 AM|troy_oz|LINK

    Hi all, I'm a part time developer and have yesterday discovered the world of SQL Injection, when the only site I run that uses a MS SQLServer 2005 database was Injected by modifying a basic ASP Classic page eg. listing.asp?id= querystring which then was able to insert a html javascript link.

    Now that I've got an understadning of what has happened, I am looking for some examples of ways for validating querystrings, input boxes etc...

    I'm not a vbscript programming king and find if I see examples I can learn better from a live demonstration. Any help would be great
  • Re: ASP Classic, SQL Server Injection Validation

    May 07, 2008 08:15 AM|jeff@zina.com|LINK

    By far the best is parameterized queries, for more help start with:

    http://www.4guysfromrolla.com/webtech/061902-1.shtml

    Jeff

    Have you Binged a solution before posting?
  • Re: ASP Classic, SQL Server Injection Validation

    May 07, 2008 09:59 AM|troy_oz|LINK

    Hi Jeff yeah Bill over at aspmessageboard pointed me to the same page. Hopefully it will contain everything I need.

    When you say parameterized queries what exactly do you mean by that? Paramaterized?

    Heres my samply query: (100% no validation as I have now learned!)

    dim thisID2
    dim objRS2
    thisID2 = Request.QueryString("id")
    dbOpen()
    set objRS2 = dbCOnnect.Execute("SELECT * FROM tblNews WHERE PostID = " & thisID2)
  • Re: ASP Classic, SQL Server Injection Validation

    May 12, 2008 05:51 AM|Zhao Ji Ma - MSFT|LINK

     You can also use the script here.

    Zhao Ji Ma
    Sincerely,
    Microsoft Online Community Support