Guest Author - Lisa Shea
If you are taking in user data for any SQL query, it is imperative that you validate every single field that you use. Otherwise your data can be damaged with a SQL injection attack.
The main problem here is that SQL commands see a '' as a comment indicator. So in essence someone using your form can insert any SQL commands they want to in your form - and you likely will pass them right along to the database to execute.
Let's say you ask a user for their email address, and allow them to change it. You are running an update script that says
update people set email = '....
and then you put in what the user entered. But let's say they did NOT just enter an email address. Let's say they entere something like
' where 1=1''
now the entire SQL will read
update people set email = '' where 1=1'' ...
and whatever comes after that line will be completely ignored. So now your entire database is going to be updated with garbage, because of what that one person entered into your system.
There is no way to "stop" SQL from doing this. This is what it does, it executes commands. It is your job as the system administrator to ENSURE that every command you pass along to SQL is 100% correct and valid. That means that EVERY single form you take data into must be verified in every way you possibly can, to ensure that it only contains appropriate data. Hackers just love to corrupt peoples' systems for fun.
So important things to do include:
* Truncate input to as short a field as possible
* Check for '' and remove them
* If possible, eliminate anything but letters and numbers
* Use cInt and cLng where possible to ensure only numbers are input
* Prosecute any hackers that attempt assaults, so they are stopped!