|
Home > Archive > microsoft.public.sqlserver.server > November 2002 > Removing "invalid" characters in web forms
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Removing "invalid" characters in web forms
|
|
|
| Hi,
I'm new to newsgroups and newer to SQL. I hope that I can get a little
advice or sugestions to solve my problem. I have searched the news
groups and cant seem to find any previously discussed information
specific to SQL. If there is info out there I'd be most happy if
someone pointed me in the right direction.
The problem I am faced with is, to minimise the chance of a SQL
Injection attack, that there is a requirement to strip all invalid
characters for all fields on all forms when submitted to our Web
Servers, the only characters are:
0 -> 9
a -> z
A -> Z
comma ,
full stop .
under score _
For an email address field, we allow the above characters plus an @
When a customer inputs their address, say the live at Unit 10 of 27
Sql Street, they would input this as 10/27 Sql St, which after the
characters are stripped
off becomes 1027 Sql St, which is much further up the street. And then
finally when printing address labels, the address should be printed
out 10/27 Sql St. Is there anyone who has had previous experience with
the same senario.
I look forward to any replys
thanx
Sonik
| |
| Tibor Karaszi 2002-11-28, 6:23 am |
| I noticed that you didn't get replies, so I just wanted to post that this looks like a strange
way to avoid injection to me (but I admit that I haven't done any work myself in this area). If
you talking about injection to SQL Server, you generally do that using stored procedures (and
parameters to the stored procedures) and avoiding dynamic SQL in the stored procedures. I'm
fairly certain that MS has a KB article on injections.
--
Tibor Karaszi, SQL Server MVP
Archive at: http://groups.google.com/groups?oi=...ublic.sqlserver
"Sonik" <sonikprofessa@hotmail.com> wrote in message
news:f9f6b6e0.0211261626.1b7f0f58@posting.google.com...
> Hi,
>
> I'm new to newsgroups and newer to SQL. I hope that I can get a little
> advice or sugestions to solve my problem. I have searched the news
> groups and cant seem to find any previously discussed information
> specific to SQL. If there is info out there I'd be most happy if
> someone pointed me in the right direction.
>
> The problem I am faced with is, to minimise the chance of a SQL
> Injection attack, that there is a requirement to strip all invalid
> characters for all fields on all forms when submitted to our Web
> Servers, the only characters are:
>
> 0 -> 9
> a -> z
> A -> Z
> comma ,
> full stop .
> under score _
> For an email address field, we allow the above characters plus an @
>
> When a customer inputs their address, say the live at Unit 10 of 27
> Sql Street, they would input this as 10/27 Sql St, which after the
> characters are stripped
> off becomes 1027 Sql St, which is much further up the street. And then
> finally when printing address labels, the address should be printed
> out 10/27 Sql St. Is there anyone who has had previous experience with
> the same senario.
>
> I look forward to any replys
>
> thanx
>
> Sonik
|
|
|
|
|