[devtalk] SQL injection attack help
Portman
mrport at roadrunner.com
Wed Nov 11 19:57:11 GMT 2009
Hi all,
I have been working on an ASP site for someone and their site has
repeatedly been attacked. I added some code (I am a total newbie to
ASP/SQL) that I assumed would stop anyone from inputting malicious code.
It appeared to work for a while, but I just heard from the owner to say
that the email address list has been attacked again. (The site is for
people to sign up for a newsletter-type thing.) I am obviously not
understanding how the SQL injection attack works because my code was
fine in my testing. Can anyone tell me how a SQL injection attack takes
place? I am pretty sure it is not someone sitting at a keyboard typing!!
I put my code right before the data is written to the database - if it
contains any characters that signal someone trying to insert a script
element (which has been the case), it kicks them out. I can't use the
submit button to trigger a test, or can I?
TIA,
Riva
More information about the devtalk
mailing list