-
5
- #1
JohnYingling
Programmer
Security Alert: "SQL Injection Attack". Never put user input directly into an SQL request. Always use apostrophes around the values you are sending, even those that are supposed to be numeric then double-up any apostrophes in the received data.
Dim strWhere
Dim strQ
strQ = "'" ' Single Quote
' Get user data
strWhere = Request.QueryString("FIELD01"
' Double-up any apostophes in data and surround with apostophes
strWhere = strQ & Replace(strWhere, "'", "''" & strQ
strSQL = "SELECT * FROM TABLE01 WHERE FIELD01 = " & _
strWhere
Suppose someone types the following data into FIELD01
A'; DROP TABLE TABLE02 --
Without doubling apostophes, your SELECT command would be transformed into
SELECT * FROM TABLE01 WHERE FIELD01 = 'A'; DROP TABLE TABLE02 --'
A new SQL command has been injected into yours.
The A' closes the WHERE, the ; closes the SELECT and starts a new command. The DROP TABLE TABLE02 deletes a TABLE whose name might be guessed. The -- makes the reset of the line a comment so that the trailing apsotrophe around the user data will not cause a syntax error.
Devilish, ain't it.
By following the remedy, the command appears as follows
SELECT * FROM TABLE01 WHERE FIELD01 = 'A''; DROP TABLE TABLE02 --'
Now the entire user input is an argument for the WHERE clause and there is no SQL Injection.
This is the 1st entry of a Google search for
"SQL Injection Attack".
Forms/Controls Resizing/Tabbing Control
Compare Code (Text)
Generate Sort Class in VB or VBScript
Dim strWhere
Dim strQ
strQ = "'" ' Single Quote
' Get user data
strWhere = Request.QueryString("FIELD01"
' Double-up any apostophes in data and surround with apostophes
strWhere = strQ & Replace(strWhere, "'", "''"
& strQstrSQL = "SELECT * FROM TABLE01 WHERE FIELD01 = " & _
strWhere
Suppose someone types the following data into FIELD01
A'; DROP TABLE TABLE02 --
Without doubling apostophes, your SELECT command would be transformed into
SELECT * FROM TABLE01 WHERE FIELD01 = 'A'; DROP TABLE TABLE02 --'
A new SQL command has been injected into yours.
The A' closes the WHERE, the ; closes the SELECT and starts a new command. The DROP TABLE TABLE02 deletes a TABLE whose name might be guessed. The -- makes the reset of the line a comment so that the trailing apsotrophe around the user data will not cause a syntax error.
Devilish, ain't it.
By following the remedy, the command appears as follows
SELECT * FROM TABLE01 WHERE FIELD01 = 'A''; DROP TABLE TABLE02 --'
Now the entire user input is an argument for the WHERE clause and there is no SQL Injection.
This is the 1st entry of a Google search for
"SQL Injection Attack".
Forms/Controls Resizing/Tabbing Control
Compare Code (Text)
Generate Sort Class in VB or VBScript
![[americanflag]](/data/assets/smilies/americanflag.gif "[americanflag] [americanflag]")