Posted by JT on 01/18/06 18:53

Also, Microsoft has published several patterns & practices documents related
to securing ASP.NET applications on MSDN:

Improving Web Application Security: Threats and Countermeasures
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
Threat Modeling Web Applications
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwa.asp
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp


"JT" <someone@microsoft.com> wrote in message
news:uowNw9EHGHA.2036@TK2MSFTNGP14.phx.gbl...
> One basic method to prevent SQL Injection is to restrict input to conform
> to it's expected format. For example, if UserID is an integer, then it
> should not contain alpha characters or symbols. You should also constrain
> the passwords (or any user text input) to not include comparison (=, <, >,
> etc.) or single / double quote characters.
>
> How To: Use Regular Expressions to Constrain Input in ASP.NET
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000001.asp
>
> I havn't used this personally, but it is possible to make regular
> expression calls in T-SQL via the VBScript object, however, the LIKE
> comparison operator or patindex() function would be preferred.
> http://blogs.msdn.com/khen1234/archive/2005/05/11/416392.aspx
>
> Also, in your programming, instead of this:
>
> if not rs.eof() ...
>
> do this:
>
> if rs.rowcount = 1 and rs[Password] = sPassword ...
>
>
> <gene.ellis@gmail.com> wrote in message
> news:1137540834.595198.106210@o13g2000cwo.googlegroups.com...
>> Hello everyone,
>>
>> Put simply we have recently been the victims of a malicious hacker
>> because we were not aware of the dangers of SQL injection. Now, I am
>> adding addition validation to my forms and also GET variables (we are
>> using PHP). Does anyone have any good techniques for the kind of
>> validation I should be using to avoid SQL injection? I basically want
>> to create a PHP function, fun any form variables through the function,
>> and then stop the script from executing if any bad input in found.
>> Thanks for all of your help. I don't want us to lose all of our data
>> again!
>>
>> GE
>>
>
>

• Next in forum: Re: Aren't session variable preserved using "Header('Location: xxx')"?
• Prev in forum: Re: Some assistance with MS SQL injection and PHP please
• Thread view: Re: Some assistance with MS SQL injection and PHP please

[Reply to this message]