|
it
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Validating User Input to Avoid Attacks
Hi All,
I am working on a web application that uses both asp classic and asp.net pages. We need to validate user input to avoid attacks like sql injection. Can a component be created that both page types can use? Is that the best approach? Would I simply use pattern matching to validate strings and/or remove any unwanted characters? Thanks in advance. A TO Consultant wrote:
> Hi All, For SQL Injection, while validation is important, it is not enough to> > I am working on a web application that uses both asp classic and > asp.net pages. We need to validate user input to avoid attacks like > sql injection. Can a component be created that both page types can > use? Is that the best approach? Would I simply use pattern matching > to validate strings and/or remove any unwanted characters? > > Thanks in advance. prevent it. If you truly wish to prevent SQL Injection, you will avoid all use of dynamic sql*, using parameters to pass values instead. I do not believe that validation can be made as generic as you are hoping it can be: some data should not contain sql keywords, and other data should. *I am defining dynamic sql as the act of concatenating user input into sql statements which are subsequently executed. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup. Thanks Bob.
When you say to use parameters to pass values instead, do you mean to use stored procedures and call them with the values as parameters? Show quote "Bob Barrows [MVP]" wrote: > A TO Consultant wrote: > > Hi All, > > > > I am working on a web application that uses both asp classic and > > asp.net pages. We need to validate user input to avoid attacks like > > sql injection. Can a component be created that both page types can > > use? Is that the best approach? Would I simply use pattern matching > > to validate strings and/or remove any unwanted characters? > > > > Thanks in advance. > For SQL Injection, while validation is important, it is not enough to > prevent it. If you truly wish to prevent SQL Injection, you will avoid > all use of dynamic sql*, using parameters to pass values instead. > > I do not believe that validation can be made as generic as you are > hoping it can be: some data should not contain sql keywords, and other > data should. > > *I am defining dynamic sql as the act of concatenating user input into > sql statements which are subsequently executed. > -- > Microsoft MVP -- ASP/ASP.NET > Please reply to the newsgroup. The email account listed in my From > header is my spam trap, so I don't check it very often. You will get a > quicker response by posting to the newsgroup. > > > That's my preferred technique, but it's not necessary. Both ADO and
ADO.Net allow the use of parameter markers to facilitate the passing of parameter values into ad hoc sql strings. Here is a description of the ADO implementation of this: http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e A TO Consultant wrote: Show quote > Thanks Bob. > > When you say to use parameters to pass values instead, do you mean to > use stored procedures and call them with the values as parameters? > > "Bob Barrows [MVP]" wrote: > >> A TO Consultant wrote: >>> Hi All, >>> >>> I am working on a web application that uses both asp classic and >>> asp.net pages. We need to validate user input to avoid attacks like >>> sql injection. Can a component be created that both page types can >>> use? Is that the best approach? Would I simply use pattern >>> matching to validate strings and/or remove any unwanted characters? >>> >>> Thanks in advance. >> For SQL Injection, while validation is important, it is not enough to >> prevent it. If you truly wish to prevent SQL Injection, you will >> avoid all use of dynamic sql*, using parameters to pass values >> instead. >> >> I do not believe that validation can be made as generic as you are >> hoping it can be: some data should not contain sql keywords, and >> other data should. >> >> *I am defining dynamic sql as the act of concatenating user input >> into sql statements which are subsequently executed. >> -- >> Microsoft MVP -- ASP/ASP.NET >> Please reply to the newsgroup. The email account listed in my From >> header is my spam trap, so I don't check it very often. You will get >> a quicker response by posting to the newsgroup. -- Microsoft MVP -- ASP/ASP.NET Please reply to the newsgroup. The email account listed in my From header is my spam trap, so I don't check it very often. You will get a quicker response by posting to the newsgroup.  |
|||||||||||||||||||||||
Other interesting topics