logo
g Text Version
Beauty & Self
Books & Music
Career
Computers
Education
Family
Food & Wine
Health & Fitness
Hobbies & Crafts
Home & Garden
Money
News & Politics
Relationships
Religion & Spirituality
Sports
Travel & Culture
TV & Movies

dailyclick
Bored? Games!
Nutrition
Postcards
Take a Quiz
Rate My Photo

new
Heart Disease
Horror Literature
Dating
Hiking & Backpacking
SF/Fantasy Books
Healthy Foods
Crafts for Kids


dailyclick
All times in EST

Full Schedule
g
g ASP Site

BellaOnline's ASP Editor

g

SQL injection attacks

Guest Author - Lisa Shea

If you are taking in user data for any SQL query, it is imperative that you validate every single field that you use. Otherwise your data can be damaged with a SQL injection attack.

The main problem here is that SQL commands see a '' as a comment indicator. So in essence someone using your form can insert any SQL commands they want to in your form - and you likely will pass them right along to the database to execute.

Let's say you ask a user for their email address, and allow them to change it. You are running an update script that says

update people set email = '....

and then you put in what the user entered. But let's say they did NOT just enter an email address. Let's say they entere something like

' where 1=1''

now the entire SQL will read

update people set email = '' where 1=1'' ...

and whatever comes after that line will be completely ignored. So now your entire database is going to be updated with garbage, because of what that one person entered into your system.

There is no way to "stop" SQL from doing this. This is what it does, it executes commands. It is your job as the system administrator to ENSURE that every command you pass along to SQL is 100% correct and valid. That means that EVERY single form you take data into must be verified in every way you possibly can, to ensure that it only contains appropriate data. Hackers just love to corrupt peoples' systems for fun.

So important things to do include:

* Truncate input to as short a field as possible
* Check for '' and remove them
* If possible, eliminate anything but letters and numbers
* Use cInt and cLng where possible to ensure only numbers are input
* Prosecute any hackers that attempt assaults, so they are stopped!
This site needs an editor - click to learn more!

Add SQL+injection+attacks to Twitter Add SQL+injection+attacks to Facebook Add SQL+injection+attacks to MySpace Add SQL+injection+attacks to Del.icio.us Digg SQL+injection+attacks Add SQL+injection+attacks to Yahoo My Web Add SQL+injection+attacks to Google Bookmarks Add SQL+injection+attacks to Stumbleupon Add SQL+injection+attacks to Reddit




RSS | Editor's Picks Articles | Top Ten Articles | Previous Features | Site Map


For FREE email updates, subscribe to the ASP Newsletter


Past Issues


print
Printer Friendly
bookmark
Bookmark
tell friend
Tell a Friend
forum
Forum
email
Email Editor


Content copyright © 2013 by Lisa Shea. All rights reserved.
This content was written by Lisa Shea. If you wish to use this content in any manner, you need written permission. Contact BellaOnline Administration for details.

g


g features
Best uses for RSS

RSS and its future.

Force Download Dialog box with ASP

Archives | Site Map

forum
Forum
email
Contact

Past Issues
memberscenter


vote
Poetry
Daily
Weekly
Monthly
Less than Monthly



BellaOnline on Facebook
g


| About BellaOnline | Privacy Policy | Advertising | Become an Editor |
Website copyright © 2013 Minerva WebWorks LLC. All rights reserved.


BellaOnline Editor