[devtalk] SQL injection attack help
Robert Hoenig
rhoenig at hoenigcomputers.com
Wed Nov 11 20:01:32 GMT 2009
Is there anyway to send in a parameter list that might be inserted.
Post your code again.
-----Original Message-----
From: devtalk-bounces at lists.preshweb.co.uk
[mailto:devtalk-bounces at lists.preshweb.co.uk] On Behalf Of Portman
Sent: Wednesday, November 11, 2009 1:57 PM
To: New home for the wdvltalk community
Subject: [devtalk] SQL injection attack help
Hi all,
I have been working on an ASP site for someone and their site has repeatedly
been attacked. I added some code (I am a total newbie to
ASP/SQL) that I assumed would stop anyone from inputting malicious code.
It appeared to work for a while, but I just heard from the owner to say that
the email address list has been attacked again. (The site is for people to
sign up for a newsletter-type thing.) I am obviously not understanding how
the SQL injection attack works because my code was fine in my testing. Can
anyone tell me how a SQL injection attack takes place? I am pretty sure it
is not someone sitting at a keyboard typing!!
I put my code right before the data is written to the database - if it
contains any characters that signal someone trying to insert a script
element (which has been the case), it kicks them out. I can't use the submit
button to trigger a test, or can I?
TIA,
Riva
_______________________________________________
devtalk mailing list
devtalk at lists.preshweb.co.uk
http://lists.preshweb.co.uk/mailman/listinfo/devtalk
More information about the devtalk
mailing list