All geek questions in one place

Parameterization in VBScript / ASP Classic and ADO

I am a bit confused. Microsoft, as far as I can tell, claims that parameterization is the best way to protect your database from SQL injection attacks. But I find here two conflicting sources of information:

This page says that the ADO command object is being used. But this page says that the command object is unsafe for scripting. It seems that I remembered something that the command object should not be used in VBScript or JScript due to security vulnerabilities, but I can not find this article.

Am I missing something, or are these two articles conflicting?

+4
source share
2 answers

I may be wrong here, but I think it just means that someone can use the Command object to do bad things. That is, he should not be trusted if someone else is scripting him.

See script-safe in this article. Each instance that talks about this phrase on the Internet refers to it as if you were marking an ActiveX control saying: "This control does not perform I / O or only returns the server to the server from which it came", but the object Command does not. It can be used to accomplish many things that may be unsafe.

The “safe” they are talking about and the “safe” to prevent SQL injection are two different things. An article about using the ADO command object to parameterize your data is included. You have to do it.

And Microsoft confirms this here:

http://msdn.microsoft.com/en-us/library/ms676585(v=VS.85).aspx

+4
source

I think that "safe for scripts" means "safe launch from the web page we just got from some Nigerian prince." The command object must be safe to run on the server.

At work, although on the same day my colleagues did not trust this, so we had an internal structure that basically did the same.

+1
source

Source: https://habr.com/ru/post/1276652/

More articles:


All Articles