Click here to Skip to main content
14,930,588 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
hi
i write code below :

VB
set conn=server.createobject("adodb.connection")

mytb = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & server.mappath("tdr.mdb")
conn.Open mytb

Dim  mysql
mysql = "insert into feedback(comments,username,useradd,useremail,usertel,userdt) " &_
              "values('" & mcomments & "','" &_
              musername & "','" &_
              museradd & "','" &_
              museremail & "','" &_
              musertel & "','" &_
              muserdt & "')"
conn.execute(mysql)
conn.close
set conn=nothing


now tell me where i write some code to prevent sqlinjection attack.
Thanks and regards
Umesh Daiya
Posted
Updated 26-Apr-13 22:49pm
v2

1 solution

You are concatenating values into your SQL command, instead of using parameterised commands. See http://bobby-tables.com/[^]
   
Comments
UD(IA) 27-Apr-13 6:04am
   
Thanks For REply
just i serarch on google than i found code like this
BlackList = Array("--", ";", "/*", "*/", "@@", "@",_
"char", "nchar", "varchar", "nvarchar",_
"alter", "begin", "cast", "create", "cursor",_
"declare", "delete", "drop", "end", "exec",_
"execute", "fetch", "insert", "kill", "open",_
"select", "sys", "sysobjects", "syscolumns",_
"table", "update")
what you say about this and one of my friend also send me code where he mention > < and special symobls restrict
will you help me to write code because i never before work in asp classic.
Thanks
and Regards
Umesh Daiya
Richard MacCutchan 27-Apr-13 6:20am
   
You don't need any special code, just follow the simple rules:
0. Don't listen to your friends; use the official documentation.
1. Make sure you validate all your parameters.
2. Don't use string concatenation.
3. Use proper parameterized queries.

For more information on writing ASP.NET see the ASP.NET tutorials. for more information on writing SQL queries see Introduction to SQL.
UD(IA) 27-Apr-13 6:54am
   
Sirji is this right way?
<%
' Declaring variables
Dim name, email, country, comments, data_source, con, sql_insert

' A Function to check if some field entered by user is empty
Function ChkString(string)
If string = "" Then string = " "
ChkString = Replace(string, "'", "''")
End Function

' Receiving values from Form
name = ChkString(Request.Form("name"))
email = ChkString(Request.Form("email"))
country = ChkString(Request.Form("country"))
comments = ChkString(Request.Form("comments"))
data_source = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & _
Server.MapPath("form.mdb")
sql_insert = "insert into users (name, email, country, comments) values ('" & _
name & "', '" & email & "', '" & country & "', '" & comments & "')"

' Creating Connection Object and opening the database
Set con = Server.CreateObject("ADODB.Connection")
con.Open data_source
con.Execute sql_insert

' Done. Close the connection
con.Close
Set con = Nothing
%>
Richard MacCutchan 27-Apr-13 6:56am
   
No! How many times do I need to say: "do not use string concatenation for SQL commands"?
UD(IA) 27-Apr-13 6:34am
   
Thanks
just one question

<%

set conn=server.createobject("adodb.connection")

mytb = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & server.mappath("tdr.mdb")
conn.Open mytb

Dim mysql
mysql = "insert into feedback(comments,username,useradd,useremail,usertel,userdt) " &_
"values('" & mcomments & "','" &_
musername & "','" &_
museradd & "','" &_
museremail & "','" &_
musertel & "','" &_
muserdt & "')"
conn.execute(mysql)
conn.close
set conn=nothing %>
will you code for me only for once so i can idea where and how i can write parameterised query
really i have no idea for this till i try my best
thanks again for that
REgards
Umesh Daiya

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900