Active Server - Another Way To Watch For And Prevent SQL Injection Attacks In Your Web Applications

In a previous tip, we discussed how SQL injection attacks in poorly protected Web pages can jeopardize your critical business systems. Here's another way to prevent them. Look for semicolons in the item posted to the Web page before executing a SQL statement and/or make semicolons invalid characters in your form fields.

This would look something like this:

  • <%
  • Set cn = Server(.)CreateObject("ADODB(.)connection")
  • strSQL = "SELECT * FROM Users WHERE UserID=" & Request("UserID")
  • cn.Open 'Some valid ConnectionString
  • If Instr(1,Request("UserID"),",") = ) Then
  • Set rs = cn.Execute(strSQL)
  • Else
  • Response(.)Write "Invalid Character (semicolon) Detected in UserName Field."
  • End If
  • %>

Go back