 Print
 Add To Favorites
 Email To Friend
 Rate This Article
|
SQL Injection in Classic ASP and Possible Solutions
|
by Ehsanul Haque
Feedback
|
Average Rating: 
Views (Total / Last 10 Days):
34063/
227
|
|
|
|
| Downloads |
|
|
|
|
|
Article Feedback
User Comments
Title:
Commentt
Name:
Ganannathan
Date:
1/31/2012 4:03:26 AM
Comment:
Do your Work.............
|
Title:
RE:sample code missing
Name:
Ehsanul Haque
Date:
1/23/2012 12:04:29 PM
Comment:
Hey Bob,
Thanks for notifying me about the missing URL for the sample code. I am in rush right now, but I will try to fix it as soon as possible.
|
Title:
sample code missing
Name:
Bob
Date:
1/23/2012 9:14:23 AM
Comment:
Sadly, the sample code ZIP file is 404 not found. :( I believe I can follow along with the article, and extract the appropriate code to implement, but sample code is almost always more straight forward for fully understanding a concept, since it is usually a full solution vs a tutorial. Thanks for a great article, though!
|
Title:
Possible solution for SQL Injection
Name:
Rey Calanta-ol
Date:
4/1/2011 10:06:12 AM
Comment:
1. Optimize your inputs, you may use replace function to replace all suspicious symbols in the inputs.
2. Use parameterized query.
|
Title:
Great article :)
Name:
Benedict Basa
Date:
11/7/2010 11:51:15 PM
Comment:
Exactly what i needed :)
|
Title:
ASP is here to remain for a long time.
Name:
pickatutorial
Date:
10/5/2010 11:27:44 AM
Comment:
ASP is here to remain for a long time.
|
Title:
nice :)
Name:
MJ
Date:
6/29/2010 5:37:37 PM
Comment:
no comment :)
|
Title:
Replace wrong words
Name:
Eric Coumans
Date:
12/21/2009 10:37:23 AM
Comment:
Hi there,
small question: is it also possible instead of going to the error page, replace the value in the scanned form input?
so when somebody fills in "copenhagen" the function (mentioned above) will change ("open") this into: "c*hagen"...
thanks for the help!
|
Title:
RE: Function always return true
Name:
Ehsanul Haque
Date:
12/9/2009 5:01:13 AM
Comment:
Hello Mr. Javed,
I don't think the function is always returning true. After configuring the sample, open the test.asp and type username "cursor p1" and it will be blocked as the "cursor" is the blacklisted keyword. Similarly, if you write "abc" it will not block as it is not in the blacklist. Also see the relavant code below:
For Each s in BlackList
If(IsExceptionList(s,varType)=False) then
If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If
End If
Next
Where "lstr" is the string to check and "s" is the blacklisted keyword.
However, please check that the sample is configured correctly. Please let me know if I can help you anyway.
Thanks,
Ehsan
|
Title:
Function always return true
Name:
Javed Iqbal
Date:
12/9/2009 2:01:23 AM
Comment:
\
|
Title:
RE: 谢谢。
Name:
Ehsanul Haque
Date:
12/5/2009 6:40:15 AM
Comment:
Hi,
I don't know Chinese but I think you are looking for code sample. If it is true then please see the entire article here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all
Also you can get the sample project by clicking on the Downloads link at the top or browse here http://aspalliance.com/1703_SQL_Injection_in_Classic_ASP_and_Possible_Solutions.all#Page6
Thanks,
Ehsan
|
Title:
Thank you
Name:
Stefan
Date:
11/24/2009 11:22:30 AM
Comment:
Thank you very much. I had some SQL injection problems and I implemented this, tested and it seems to hold up thus far.
Now I have to teach myself stored procedures along with some .net stuff. Thanks again.
|
Title:
:)
Name:
RJ
Date:
1/13/2009 2:04:18 AM
Comment:
good article. it really helps
|
|
|
|
|
|
