Re: Strange beaviour in sql injection

Dennis Hurst (wto 29. pa¼dziernik 2002 15:06):
> The proper way to do it would have been:
> if IsNumeric(Request("passedID")) then
> 'all is well, build the SQL
> sSql = "select * from myTable where ID = " &
> cstr(clng(Request("passedID")))
> 'do some database stuff here
> else
> 'go away, your doing something bad....
> end if
>
>
> Using the cstr(CLng()) functions will convert it to a numeric and back
> again, effectively
> Removing the SQL Injection.

Why not using a regular expression on raw request data?

/^[0-9]{1,8}$/ (or similiar, depends on language of the application) should ensure that you'r dealing with numeric. (integer, if that's what you need).

I may be wrong, or may not understand it all, but I would rather not trust functions that convert. They sometimes ignore/modify/guess. If I check that the string my webapp received contains only numbers, and not more than 9, then I may be SURE that there is no SQL injection here.

(Be gentle if I am saying something stupid or didn't understood what was  going on :-))) ) Received on Sat Nov 30 18:26:31 2002