How do I prevent input search string security vulnerabilities in my textboxes?

[MrSnrub]

How do you take the text that's in a texbox and format it so that you can't perform a SQL injection attack? As it is now if you input a search string like "x' or '1=1" in a textbox on my page, serious problems could occur. How do I prevent this?

[chris.upjohn]

The easiest and safest way would be to handle the values using a backend processor such as PHP to escape the string, Eg.

PHP Code:

mysql_real_escape_string($_POST['field']); 


Off Topic:

Needs to be moved to the PHP forum as it would be more suitable there

[Immerse]

Or you could use the filter_input stuff that's been built into PHP.

[Max Height]

also, if certain characters would not normally be valid (like =, <, ".' etc etc) then reject the string as part of your server side validation if it contains any of those charachters. In other words, set up a white list of valid chars for a string and check that the string contains only those characters.

[MrSnrub]

I don't have php but I do have ASP. If this were a classic ASP file, how would I implement a similar solution?

[spikeZ]

Moved to Classic ASP forum

[Immerse]

Eep, I don't really know much ASP (it's been +/- 12 years since I last wrote some classic ASP), but a quick Google found this: http://blogs.iis.net/nazim/archive/2...assic-asp.aspx

[siteguru]

http://www.sitepoint.com/forums/show...nctions-in-ASP

Worth a look.

[DaveMaxwell]

The simplest method would be to go to a parameterized query method. This handles a large portion of your SQL injections problems through the DBMS ADO interface.