SQL Injection, replace single quote with two single quotes?

Forum|Forum|19 years ago
January 10, 2007
5 replies
1445 views

Is replacing a single quote with two single quotes adequate for eliminating
SQL injection attacks? This article (
http://www.devguru.com/features/kb/kb100206.asp ) offers that advice, and it
enabled me to allow users to search name fields in the database that contain
single quotes.

I was advised to use "Paramaterized SQL" in an earlier post, but I can't
understand the concept behind that method, and whether it applies to
queries, writes, or both.

Server side applications

This topic has been closed for replies.

N

Newsgroup_UserAuthor

Inspiring

Thanks Lionstone,

To anyone, where is a good place to learn SP and how to integrate it
with Dreamweaver?

N

Newsgroup_UserAuthor

Inspiring

Then you can use both stored procedures and prepared statements.
Both provide better protection than simply replacing apostrophes.

Prepared statements are simple:

Set myCommand = Server.CreateObject("ADODB.Command")
...snip...
myCommand.CommandText = "INSERT INTO Users([Name], [Email]) VALUES (?, ?)"
...snip...
myCommand.Parameters.Append myCommand.CreateParameter("@Name",200,1,50,Name)
myCommand.Parameters.Append
myCommand.CreateParameter("@Email",200,1,50,Email)
myCommand.Execute ,,128 'the ,,128 sets execution flags that tell ADO not to
look for rows to be returned. This saves the expense of creating a
recordset object you don't need.

Stored procedures are executed in a similar manner. DW can help you with a
stored procedure through the "Command (Stored Procedure)" server behavior.
You can see a full example of a prepared statement by looking at DW's
recordset code after you've created a recordset using version 8.02.

"Mike Z" <mikeyz@rocktmail.com> wrote in message
news:eo5idq$3qr$1@forums.macromedia.com...
>I should have repeated this, I am using VBScript in ASP, with an Access DB.
>

N

Newsgroup_UserAuthor

Inspiring

I should have repeated this, I am using VBScript in ASP, with an Access DB.

N

Newsgroup_UserAuthor

Inspiring

.oO(darrel)

>> I was advised to use "Paramaterized SQL" in an earlier post, but I can't
>> understand the concept behind that method, and whether it applies to
>> queries, writes, or both.
>
>It's a term that, I think, is mainly used with ASP.net development. So if
>you are using PHP or the like, maybe it's a different term.

It's usually called a "prepared statement". If the used scripting
language offers that feature you should definitely make use of it.

Micha

N

Newsgroup_UserAuthor

Inspiring

> I was advised to use "Paramaterized SQL" in an earlier post, but I can't
> understand the concept behind that method, and whether it applies to
> queries, writes, or both.

It's a term that, I think, is mainly used with ASP.net development. So if
you are using PHP or the like, maybe it's a different term.

The other common way to prevent them is to do your queries through stored
procedures.

-Darrel

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded