SitePoint Sponsor

User Tag List

Results 1 to 9 of 9

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How do I prevent input search string security vulnerabilities in my textboxes?

    How do you take the text that's in a texbox and format it so that you can't perform a SQL injection attack? As it is now if you input a search string like "x' or '1=1" in a textbox on my page, serious problems could occur. How do I prevent this?

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,196
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    The easiest and safest way would be to handle the values using a backend processor such as PHP to escape the string, Eg.

    PHP Code:
    mysql_real_escape_string($_POST['field']); 
    Off Topic:

    Needs to be moved to the PHP forum as it would be more suitable there

  3. #3
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Or you could use the filter_input stuff that's been built into PHP.

  4. #4
    Non-Member Max Height's Avatar
    Join Date
    Dec 2011
    Posts
    303
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    also, if certain characters would not normally be valid (like =, <, ".' etc etc) then reject the string as part of your server side validation if it contains any of those charachters. In other words, set up a white list of valid chars for a string and check that the string contains only those characters.

  5. #5
    SitePoint Enthusiast
    Join Date
    May 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't have php but I do have ASP. If this were a classic ASP file, how would I implement a similar solution?

  6. #6
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Moved to Classic ASP forum
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  7. #7
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Eep, I don't really know much ASP (it's been +/- 12 years since I last wrote some classic ASP), but a quick Google found this: http://blogs.iis.net/nazim/archive/2...assic-asp.aspx

  8. #8
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,631
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Ian Anderson
    www.siteguru.co.uk

  9. #9
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,276
    Mentioned
    119 Post(s)
    Tagged
    1 Thread(s)
    The simplest method would be to go to a parameterized query method. This handles a large portion of your SQL injections problems through the DBMS ADO interface.
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •