Posted by JT on 01/18/06 18:48

One basic method to prevent SQL Injection is to restrict input to conform to
it's expected format. For example, if UserID is an integer, then it should
not contain alpha characters or symbols. You should also constrain the
passwords (or any user text input) to not include comparison (=, <, >, etc.)
or single / double quote characters.

How To: Use Regular Expressions to Constrain Input in ASP.NET
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000001.asp

I havn't used this personally, but it is possible to make regular expression
calls in T-SQL via the VBScript object, however, the LIKE comparison
operator or patindex() function would be preferred.
http://blogs.msdn.com/khen1234/archive/2005/05/11/416392.aspx

Also, in your programming, instead of this:

if not rs.eof() ...

do this:

if rs.rowcount = 1 and rs[Password] = sPassword ...


<gene.ellis@gmail.com> wrote in message
news:1137540834.595198.106210@o13g2000cwo.googlegroups.com...
> Hello everyone,
>
> Put simply we have recently been the victims of a malicious hacker
> because we were not aware of the dangers of SQL injection. Now, I am
> adding addition validation to my forms and also GET variables (we are
> using PHP). Does anyone have any good techniques for the kind of
> validation I should be using to avoid SQL injection? I basically want
> to create a PHP function, fun any form variables through the function,
> and then stop the script from executing if any bad input in found.
> Thanks for all of your help. I don't want us to lose all of our data
> again!
>
> GE
>

[Back to original message]