When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
Related Web Technologies
User Tips!
Coding Tips

Sample Chapters
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Stump the SQL Guru!
XML Info
Author an Article

The 4 Guys Present: ASPFAQs.com

Jump to a FAQ
Enter FAQ #:
..or see our 10 Most Viewed FAQs.

4GuysFromRolla.com : ASP FAQS : Security


What is the SQL Injection Attack? Am I at risk? How do I fix such a security hole?

[Print this FAQ]

Answer: If you are building data-driven Web pages that allow a user's input to directly affect the construction of a dynamic SQL string then, yes, you may be opening yourself up to a SQL Injection Attack.

SQL Injection is the act of entering a particularly odd-looking string into a text box or querystring in order to have potentially malicious SQL code execute. For example, if you have an ASP page that accepts as a querystring parameter an ID field, and this ID field is then used to generate dynamic content, you may be in trouble. If your code looks like:

  Dim p_lngID, objRS, strSQL
  p_lngID = Request("ID")

  strSQL = "SELECT * FROM tblArticles WHERE ID=" & p_lngID

  Set objRS = Server.CreateObject("ADODB.Recordset")
  objRS.Open strSQL, "DSN=..."

  If (Not objRS.EOF) Then Response.Write objRS("ArticleContent")

  Set objRS = Nothing

A user may enter a querystring like: 1; DELETE FROM tblArticles (or some other malicious SQL statement). With the code presented above, the SQL will be executed and your database table deleted! In order to combat this particular problem, you would need to ensure that the passed in ID is numeric, either by using the IsNumeric function or casting the parameter to an integer or long (via CInt or CLng).

There are also other kinds of SQL Injection Attacks, which are detailed at: Protecting Yourself from SQL Injection Attacks. Read this article to learn more about SQL Injection, and what you can do to protect yourself.

FAQ posted by Scott Mitchell at 6/18/2002 5:42:57 PM to the Security category. This FAQ has been viewed 51,675 times.

Do you have a FAQ you'd like to suggest? Suggestions? Comments? If so, send it in! Also, if you'd like to be a FAQ Admin (creating/editing FAQs), let me know! If you are looking for other FAQs, be sure to check out the 4Guys FAQ and Commonly Asked Messageboard Questions!

Most Viewed FAQs:

1.) How can I format numbers and date/times using ASP.NET? For example, I want to format a number as a currency. (761643 views)
2.) I am using Access and getting a 80004005 error (or a [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)' error) when trying to open a connection! How can I fix this problem? (207777 views)
3.) How can I convert a Recordset into an array? Also, how can I convert an array into a Recordset? (202549 views)
4.) How can I quickly sort a VBScript array? (196039 views)
5.) How can I find out if a record already exists in a database? If it doesn't, I want to add it. (156019 views)
6.) How do I display data on a web page using arrays instead of Do...While...MoveNext...???... (152331 views)
7.) When I get a list of all files in a directory via the FileSystemObject, they aren't ordered in any reasonable way. How can I sort the files by name? Or by size? Or by date created? Or... (140381 views)
8.) For session variables to work, must the Web visitor have cookies enabled? (110162 views)
9.) Can I send emails without using CDONTS? (107083 views)
10.) How can I take the result of a SELECT...MULTIPLE or a group of same-named checkboxes and turn it into a query? That is, if the user selects 3 answers, how can I construct a query that looks for all 3? (106308 views)
Last computed at 9/17/2007 3:22:00 AM

ASP.NET [1.x] [2.0] | ASPFAQs.com | Advertise | Feedback | Author an Article