P
Paul M
Hi
Anyone know of any tutorials on solving URL parameter sql injection
Thanks
Paul M
Anyone know of any tutorials on solving URL parameter sql injection
Thanks
Paul M
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Murray
Google "SQL injection" - there's more than you would care to read.
T
Thomas A. Rowe
Paul,
See the following, however it is related to .Net
http://aspnet.4guysfromrolla.com/articles/090705-1.aspx
http://aspnet.4guysfromrolla.com/articles/083105-1.aspx
http://www.4guysfromrolla.com/webtech/020400-2.shtml
--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
See the following, however it is related to .Net
http://aspnet.4guysfromrolla.com/articles/090705-1.aspx
http://aspnet.4guysfromrolla.com/articles/083105-1.aspx
http://www.4guysfromrolla.com/webtech/020400-2.shtml
--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================
S
Stefan B Rusynko
With Access
Best way is don't use URL parameters
Second best is only use numeric URL parameters (preferably only 1)
- and then server side validate the parameter is numeric and in the numeric range expected
--
| Hi
| Anyone know of any tutorials on solving URL parameter sql injection
| Thanks
| Paul M
|
|
Best way is don't use URL parameters
Second best is only use numeric URL parameters (preferably only 1)
- and then server side validate the parameter is numeric and in the numeric range expected
--
| Hi
| Anyone know of any tutorials on solving URL parameter sql injection
| Thanks
| Paul M
|
|
P
Paul M
Thanks
I am using the tutorial at
http://www.spiderwebwoman.com/tutorials/picklist.htm
to generate a project details page, although I can change the number in the
URL and recieve another recordset this is not a problem when I input
anything other than a number I get a database error. Is it possible check if
this system is protected against update and delete sql injections
Thanks
Paul M
I am using the tutorial at
http://www.spiderwebwoman.com/tutorials/picklist.htm
to generate a project details page, although I can change the number in the
URL and recieve another recordset this is not a problem when I input
anything other than a number I get a database error. Is it possible check if
this system is protected against update and delete sql injections
Thanks
Paul M
S
Stefan B Rusynko
That tutorial uses a numeric URL parameter (?ID=NN)
- and for what it does (a picklist of non critical info, and not of any credentials), if you validate it as number (on the page
receiving it) you can essentially block everything else from being passed as a URL parameter
<%
If Not IsNumeric(Response.QueryString("ID")) Then
' BAD
' response redirect someplace else as ID in not a valid number
Else
' GOOD
' could also check the valid range of ID w/ an IF < or > here if required
' process the value passed and then the page if it matches the DB record
End If
%>
--
| Thanks
| I am using the tutorial at
| http://www.spiderwebwoman.com/tutorials/picklist.htm
| to generate a project details page, although I can change the number in the
| URL and recieve another recordset this is not a problem when I input
| anything other than a number I get a database error. Is it possible check if
| this system is protected against update and delete sql injections
| Thanks
| Paul M
| | > With Access
| > Best way is don't use URL parameters
| > Second best is only use numeric URL parameters (preferably only 1)
| > - and then server side validate the parameter is numeric and in the
| > numeric range expected
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Anyone know of any tutorials on solving URL parameter sql injection
| > | Thanks
| > | Paul M
| > |
| > |
| >
| >
|
|
- and for what it does (a picklist of non critical info, and not of any credentials), if you validate it as number (on the page
receiving it) you can essentially block everything else from being passed as a URL parameter
<%
If Not IsNumeric(Response.QueryString("ID")) Then
' BAD
' response redirect someplace else as ID in not a valid number
Else
' GOOD
' could also check the valid range of ID w/ an IF < or > here if required
' process the value passed and then the page if it matches the DB record
End If
%>
--
| Thanks
| I am using the tutorial at
| http://www.spiderwebwoman.com/tutorials/picklist.htm
| to generate a project details page, although I can change the number in the
| URL and recieve another recordset this is not a problem when I input
| anything other than a number I get a database error. Is it possible check if
| this system is protected against update and delete sql injections
| Thanks
| Paul M
| | > With Access
| > Best way is don't use URL parameters
| > Second best is only use numeric URL parameters (preferably only 1)
| > - and then server side validate the parameter is numeric and in the
| > numeric range expected
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Hi
| > | Anyone know of any tutorials on solving URL parameter sql injection
| > | Thanks
| > | Paul M
| > |
| > |
| >
| >
|
|
P
Paul M
Thanks Stefan
Not trying to be a nuisance because you have been great and I am truly
appreciative, but do you know where I can find some code that can do this. I
presume it would go at the top of the page?
Best wishes
Paul M
Not trying to be a nuisance because you have been great and I am truly
appreciative, but do you know where I can find some code that can do this. I
presume it would go at the top of the page?
Best wishes
Paul M
S
Stefan B Rusynko
I gave you the code snippet you need in my response
- you need to fill in the commented parts in the IF statement
The part below goes at top of page
<%
If Not IsNumeric(Response.QueryString("ID")) Then
' this will return TRUE if the value of ID is Not numeric
' response redirect someplace else as ID in not a valid number
' you need to add the redirect code here
Else
' your DBRW or DIW code is probably here
%>
--
| Thanks Stefan
| Not trying to be a nuisance because you have been great and I am truly
| appreciative, but do you know where I can find some code that can do this. I
| presume it would go at the top of the page?
| Best wishes
| Paul M
| | > That tutorial uses a numeric URL parameter (?ID=NN)
| > - and for what it does (a picklist of non critical info, and not of any
| > credentials), if you validate it as number (on the page
| > receiving it) you can essentially block everything else from being passed
| > as a URL parameter
| >
| > <%
| > If Not IsNumeric(Response.QueryString("ID")) Then
| > ' BAD
| > ' response redirect someplace else as ID in not a valid number
| > Else
| > ' GOOD
| > ' could also check the valid range of ID w/ an IF < or > here if required
| > ' process the value passed and then the page if it matches the DB record
| > End If
| > %>
| >
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks
| > | I am using the tutorial at
| > | http://www.spiderwebwoman.com/tutorials/picklist.htm
| > | to generate a project details page, although I can change the number in
| > the
| > | URL and recieve another recordset this is not a problem when I input
| > | anything other than a number I get a database error. Is it possible
| > check if
| > | this system is protected against update and delete sql injections
| > | Thanks
| > | Paul M
| > | | > | > With Access
| > | > Best way is don't use URL parameters
| > | > Second best is only use numeric URL parameters (preferably only 1)
| > | > - and then server side validate the parameter is numeric and in the
| > | > numeric range expected
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Anyone know of any tutorials on solving URL parameter sql injection
| > | > | Thanks
| > | > | Paul M
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
- you need to fill in the commented parts in the IF statement
The part below goes at top of page
<%
If Not IsNumeric(Response.QueryString("ID")) Then
' this will return TRUE if the value of ID is Not numeric
' response redirect someplace else as ID in not a valid number
' you need to add the redirect code here
Else
' your DBRW or DIW code is probably here
%>
--
| Thanks Stefan
| Not trying to be a nuisance because you have been great and I am truly
| appreciative, but do you know where I can find some code that can do this. I
| presume it would go at the top of the page?
| Best wishes
| Paul M
| | > That tutorial uses a numeric URL parameter (?ID=NN)
| > - and for what it does (a picklist of non critical info, and not of any
| > credentials), if you validate it as number (on the page
| > receiving it) you can essentially block everything else from being passed
| > as a URL parameter
| >
| > <%
| > If Not IsNumeric(Response.QueryString("ID")) Then
| > ' BAD
| > ' response redirect someplace else as ID in not a valid number
| > Else
| > ' GOOD
| > ' could also check the valid range of ID w/ an IF < or > here if required
| > ' process the value passed and then the page if it matches the DB record
| > End If
| > %>
| >
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks
| > | I am using the tutorial at
| > | http://www.spiderwebwoman.com/tutorials/picklist.htm
| > | to generate a project details page, although I can change the number in
| > the
| > | URL and recieve another recordset this is not a problem when I input
| > | anything other than a number I get a database error. Is it possible
| > check if
| > | this system is protected against update and delete sql injections
| > | Thanks
| > | Paul M
| > | | > | > With Access
| > | > Best way is don't use URL parameters
| > | > Second best is only use numeric URL parameters (preferably only 1)
| > | > - and then server side validate the parameter is numeric and in the
| > | > numeric range expected
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Anyone know of any tutorials on solving URL parameter sql injection
| > | > | Thanks
| > | > | Paul M
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|
P
Paul M
Thanks Stefan
Best wishes
Paul M
Best wishes
Paul M
Stefan B Rusynko said:I gave you the code snippet you need in my response
- you need to fill in the commented parts in the IF statement
The part below goes at top of page
<%
If Not IsNumeric(Response.QueryString("ID")) Then
' this will return TRUE if the value of ID is Not numeric
' response redirect someplace else as ID in not a valid number
' you need to add the redirect code here
Else
' your DBRW or DIW code is probably here
%>
--
| Thanks Stefan
| Not trying to be a nuisance because you have been great and I am truly
| appreciative, but do you know where I can find some code that can do
this. I
| presume it would go at the top of the page?
| Best wishes
| Paul M
| | > That tutorial uses a numeric URL parameter (?ID=NN)
| > - and for what it does (a picklist of non critical info, and not of
any
| > credentials), if you validate it as number (on the page
| > receiving it) you can essentially block everything else from being
passed
| > as a URL parameter
| >
| > <%
| > If Not IsNumeric(Response.QueryString("ID")) Then
| > ' BAD
| > ' response redirect someplace else as ID in not a valid number
| > Else
| > ' GOOD
| > ' could also check the valid range of ID w/ an IF < or > here if
required
| > ' process the value passed and then the page if it matches the DB
record
| > End If
| > %>
| >
| >
| > --
| >
| > _____________________________________________
| > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > "Warning - Using the F1 Key will not break anything!" (-;
| > To find the best Newsgroup for FrontPage support see:
| > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > _____________________________________________
| >
| >
| > | > | Thanks
| > | I am using the tutorial at
| > | http://www.spiderwebwoman.com/tutorials/picklist.htm
| > | to generate a project details page, although I can change the number
in
| > the
| > | URL and recieve another recordset this is not a problem when I
input
| > | anything other than a number I get a database error. Is it possible
| > check if
| > | this system is protected against update and delete sql injections
| > | Thanks
| > | Paul M
| > | | > | > With Access
| > | > Best way is don't use URL parameters
| > | > Second best is only use numeric URL parameters (preferably only 1)
| > | > - and then server side validate the parameter is numeric and in
the
| > | > numeric range expected
| > | >
| > | > --
| > | >
| > | > _____________________________________________
| > | > SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
| > | > "Warning - Using the F1 Key will not break anything!" (-;
| > | > To find the best Newsgroup for FrontPage support see:
| > | > http://www.net-sites.com/sitebuilder/newsgroups.asp
| > | > _____________________________________________
| > | >
| > | >
| > | > | > | > | Hi
| > | > | Anyone know of any tutorials on solving URL parameter sql
injection
| > | > | Thanks
| > | > | Paul M
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|