Google
AspAlliance.com Web
AspAlliance
Register
Edit My Profile
Author List
Write for Us
About AspAlliance
Contact Us
Privacy Policy
Link To Us
Advertise

Subscribe
Free Newsletter
Newsletter Archive
RSS Syndication

.NET Tutorials
Learn .NET
Learn WCF
Learn WPF
Learn ASP.NET
Learn AJAX
Learn Silverlight
Learn Visual Studio
Learn ADO.NET
Learn LINQ
Learn C# (CSharp)
Learn VB.NET
Learn Web Services
Learn Controls
Learn BizTalk
Learn SharePoint
Learn Mobile
Learn SQL
Learn SQL Reporting
Learn Windows Forms
Learn XML
Learn Crystal Reports
Learn FarPoint
Learn DevExpress
Examples
ASP.NET 2.0 Examples

ASP Tutorials
Learn ASP
Learn VBScript
Learn JScript
Learn SQL
Learn XML

Software Resources
Shopping Cart Ecommerce
Charts and Dashboards

Other Resources
Learn Java
Learn Oracle
Opinion / Editorial
Crystal Reports Alliance
WPF Resources
AJAX Resources
Silverlight Resources

Free Tools
Cache Manager
SimpleCMS

Reviews
Book Reviews
Product Reviews
Expert Advice

Books
ASP.NET Developer's Cookbook
Sample Chapters
Book Reviews

Community
Developer Jobs
Resource Directory
ASP Email Lists
ASP.NET Email Lists
Whidbey Email Lists
AspAlliance Groups
SQL Email Lists
XML Email Lists
Regular Expressions
MS Communities
CodeWise Communities

Web Hosting
ASP Hosting
Dedicated Servers
FREE Hosting
Shared Hosting
Web Farm Hosting

Print This Article Print  Add To Favorites Add To Favorites    Email This Article To A Friend Email To Friend  Rate This Article Rate This Article   
SQL Injection in Classic ASP and Possible Solutions
page 7 of 8
by Ehsanul Haque
Feedback
Average Rating: 
Views (Total / Last 10 Days): 18768/ 403
Additional Resources

Microsoft's Opinionated Misfit Geek - Tools to block and eradicate SQL injection

Download Scrawlr

The Microsoft Source Code Analyzer for SQL Injection tool is available to find SQL injection vulnerabilities in ASP code

Microsoft Urlscan Filter v3.0 Beta (x86)

Filtering SQL injection from Classic ASP

Preventing SQL Injections in ASP
View Entire Article

Article Feedback

Title:  
Name:  
Url: ( Optional )
Comment:  
Please add 2 and 5 and type the answer here:

User Comments

Title: Replace wrong words   
Name: Eric Coumans
Date: 12/21/2009 10:37:23 AM
Comment:
Hi there,

small question: is it also possible instead of going to the error page, replace the value in the scanned form input?

so when somebody fills in "copenhagen" the function (mentioned above) will change ("open") this into: "c*hagen"...

thanks for the help!
Title: RE: Function always return true   
Name: Ehsanul Haque
Date: 12/9/2009 5:01:13 AM
Comment:
Hello Mr. Javed,
I don't think the function is always returning true. After configuring the sample, open the test.asp and type username "cursor p1" and it will be blocked as the "cursor" is the blacklisted keyword. Similarly, if you write "abc" it will not block as it is not in the blacklist. Also see the relavant code below:

For Each s in BlackList
If(IsExceptionList(s,varType)=False) then
If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If
End If
Next

Where "lstr" is the string to check and "s" is the blacklisted keyword.

However, please check that the sample is configured correctly. Please let me know if I can help you anyway.

Thanks,
Ehsan
Title: Function always return true   
Name: Javed Iqbal
Date: 12/9/2009 2:01:23 AM
Comment:
\
Title: RE: 谢谢。   
Name: Ehsanul Haque
Date: 12/5/2009 6:40:15 AM
Comment:
Hi,
I don't know Chinese but I think you are looking for code sample. If it is true then please see the entire article here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all

Also you can get the sample project by clicking on the Downloads link at the top or browse here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all#Page6

Thanks,
Ehsan
Title: Thank you   
Name: Stefan
Date: 11/24/2009 11:22:30 AM
Comment:
Thank you very much. I had some SQL injection problems and I implemented this, tested and it seems to hold up thus far.

Now I have to teach myself stored procedures along with some .net stuff. Thanks again.
Title: :)   
Name: RJ
Date: 1/13/2009 2:04:18 AM
Comment:
good article. it really helps






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2010 ASPAlliance.com  |  Page Processed at 3/21/2010 4:09:52 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search