Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 Transact-SQL (2005)
 SQL Injection

Author  Topic 

alxtech
Yak Posting Veteran

66 Posts
Posted - 2007-10-25 : 11:07:45
Hello forum:
In my application, asp form to search records in database depending on user input, I have three main input boxes: zipcode, proNumber, testNumber. all three inputs get numeric caracthers with max length of 5.
Question: to prevent SQL Injection, it is enough to restrict users through form validation to input only numbers 0-9 and a (.) with a max length of 5?

SwePeso
Patron Saint of Lost Yaks

30421 Posts
Posted - 2007-10-25 : 11:09:20
No.
Please use proper parameter approach by using COMMAND object!


E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts
Posted - 2007-10-25 : 11:09:42
no.
use parameteres!or replace one single quote to two single quotes.

_______________________________________________
Causing trouble since 1980
blog: http://weblogs.sqlteam.com/mladenp
SSMS Add-in that does a few things: www.ssmstoolspack.com
Go to Top of Page

spirit1
Cybernetic Yak Master

11752 Posts
Posted - 2007-10-25 : 11:10:04


22 seconds

_______________________________________________
Causing trouble since 1980
blog: http://weblogs.sqlteam.com/mladenp
SSMS Add-in that does a few things: www.ssmstoolspack.com
Go to Top of Page

SwePeso
Patron Saint of Lost Yaks

30421 Posts
Posted - 2007-10-25 : 11:11:10
See here http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=66012
how SQL injection is made

and here http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=73273
how to prevent it.


E 12°55'05.25"
N 56°04'39.16"
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site