things handled by replacing all single quotes with two single quotes,
aka
Replace(inputString, "'", "''")
Alas, clever hackers have still managed to find a way to drop columns
from some of my tables. Can anybody direct me towards a best practice
document on preventing these attacks?
Thank you thank you,
KevinKevin Audleman wrote:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
> Replace(inputString, "'", "''")
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?
> Thank you thank you,
> Kevin|||http://www.wwwcoder.com/main/parent...68/default.aspx
http://www.vbmysql.com/articles/sqlinjection.html
http://msdn.microsoft.com/msdnmag/i...9/SQLInjection/
http://shiflett.org/articles/security-corner-apr2004
http://www.microsoft.com/technet/pr...n/sp3sec03.mspx|||Thank you Jennifer =)|||Kevin Audleman (audleman@.quasika.net) writes:
> My site has come under attack from sql injections. I thought I had
> things handled by replacing all single quotes with two single quotes,
> aka
> Replace(inputString, "'", "''")
> Alas, clever hackers have still managed to find a way to drop columns
> from some of my tables. Can anybody direct me towards a best practice
> document on preventing these attacks?
Learn about using parameterised commands in whichever API you are using.
--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx
No comments:
Post a Comment