Post reply

ASP and SQL Coding Help

  • April 29, 2008 at 3:16 pm

    #808686

    The system is housed on an internal network with no external access, so security is not on the forefront of the clients requirements.

  • April 29, 2008 at 3:42 pm

    #808692

    That does help things a lot, but I think that security oughtn't be ignored (or best practices either, for that matter), even for internal applications. 😀

    Steve -kicking in his 2 cents after the fact- G.

  • April 30, 2008 at 12:31 am

    #808816

    How would I structure it so that it does not pose a SQL Injection risk?

  • April 30, 2008 at 9:25 am

    #809149

    There's a number of things that can be done. Perhaps the easiest is to not use dynamic SQL. That is, move the SQL statements to a stored procedure and pass your inputs (e.g. "ThisPublication") as parameters.

    If you feel you must use dynamic SQL or that you're too far along in development to switch over to stored procedures, I'd recommend at least filtering your data input and converting 'special characters' into their html code equivalents. For example, the semicolon could be replaced with '& # 59;' or the equals sign with '& # 61;' (You'll need to take out the spaces, I had to put them in to get the code to display:)). Doing this means that, while the text will display cleanly on your website, it won't be executable SQL by the time the SQL processor sees it. You can get the full list of html codes at http://www.ascii.cl/htmlcodes.htm

    There's more that could be done, and you can find lots of info on this site (and others) by searching on "SQL Injection".

    Good Luck!

    Steve G.

  • April 30, 2008 at 3:22 pm

    #809344

    You need the additional join here.

    Also note that its better to wrap the sql code in a stored procedure for security and performance reasons.

  • May 1, 2008 at 7:53 am

    #809545

    I would like to echo the sentiments of not using "Select *" in code. In addition, If this code is not limited to an intranet, I would reccommend making your queries stored procs. I am always worried about injection.

    Q

    Please take a number. Now serving emergency 1,203,894

Viewing 6 posts - 16 through 20 (of 20 total)

You must be logged in to reply to this topic. Login to reply