|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ASP and SQL Injection prevention
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate it if it contains some illegal instructions? My clients company has had its hacker free status revoked due to the possibility of sql injection. I could put a function before every single conn.execute but we have hundreds of them. Just wondering if there is some way of telling it to do something else first. Maybe I can redefine conn.execute somehow? Thanks! Simon Wigzell wrote:
> Is it possible to "intercept" all calls to conn.execute and have them The best way to prevent sql injection is to use parameters instead of > go to a checking routine that will either let the command go through > or terminate it if it contains some illegal instructions? My clients > company has had its hacker free status revoked due to the possibility > of sql injection. I could put a function before every single > conn.execute but we have hundreds of them. Just wondering if there is > some way of telling it to do something else first. Maybe I can > redefine conn.execute somehow? > Thanks! concatenation. See Access: http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=e6lLVvOcDHA.1204%40TK2MSFTNGP12.phx.gbl http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&selm=eHYxOyvaDHA.4020%40tk2msftngp13.phx.gbl Select statement: http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/b3d322b882a604bd Using Command object to parameterize CommandText: http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e SQL Server: http://tinyurl.com/jyy0 -- Microsoft MVP - ASP/ASP.NET Please reply to the newsgroup. This email account is my spam trap so I don't check it very often. If you must reply off-line, then remove the "NO SPAM"  |
|||||||||||||||||||||||
Other interesting topics