Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sanitized parameter inputs

Status
Not open for further replies.
BigRed1212

BigRed1212

Technical User
Mar 11, 2008
550
US
I just realized I may not have doing what I thought I was doing and I may need to do it. Love that sentence.


Currently I take in user input from a form:
Code: 
fname=Request.Form("fname")
lname=Request.Form("lname")
city=Request.Form("city")
etc..

I connect to the database:
Code: 
data_source - Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" etc .mdb
Set con = Server.CreateObject("ADODB.Connection")
con.Mode = 3
con.Open data_source

I execute a stored procedure:
Code: 
con.insert_datathing fname, lname, city, etc..
con.Close
Set con = Nothing

Should I be adding a step?:
Code: 
Function DeleteChars(str)
Set regex = New RegExp
regex.pattern="([URL unfurl="true"]http://|\.js|[/URL][\\{}':%()])"
regex.Global = True
DeleteChars = regex.Replace(str,"")
Set regex = Nothing
End Function
(The above written for me here BTW before I started using the stored procedure and was just doing a direct insert)

and doing something like (not sure of the syntax and how I would do it):
Code: 
con.insert_datathing DeleteChars(fname), DeleteChars(lname), DeleteChars(city),  etc...

or does just using the stored procedure by itself reduce/eliminate my vulnerability to an injection attack so that I don't need to run the input sanitization?
 
Sort by date Sort by votes
I do not think the regex you show is suitable in that it will remove valid characters. You may wish to look at URL encoding and HTML encoding.
Click to expand...

Well, without getting into the details of regex (which I don't speak and as I indicated I didn't write), and having looked at those two articles, I guess my larger question still stands: Do I need to sanitize parameter inputs (using regex or encoding or whatever) or does just making them parameters get the job done?

 
Upvote 0 Downvote
Ok. I should have asked this in another forum maybe.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teamssc
  • Locked
  • Question
Trouble with Parameter Query 1
Replies
4
Views
377
Andrzejek
Andrzejek
SoLost1
  • Locked
  • Question
Please Help for Passing Multiple Select ListBox Values as Parameter for WHERE IN clause of Query
Replies
3
Views
395
dhookom
dhookom
eerich
  • Locked
  • Question
Help with Parameter Query to Pass into FROM statement
Replies
7
Views
206
eerich
eerich
teach314
  • Locked
  • Question
Parameter Query question 2
Replies
4
Views
173
teach314
teach314
trickshot1126
  • Locked
  • Question
Pass Parameter from Form to Query
Replies
4
Views
117
trickshot1126
trickshot1126

Part and Inventory Search

Sponsor

Back
Top