How to prevent "DROP BOBBY TABLES" when a user enters a password with special characters?

Question

How to prevent "DROP BOBBY TABLES" when a user enters a password with special characters?

In our ancient classic ASP environment, we use OWASP to retrieve the password from the request object and encrypt non-alphanumeric characters. This is the first line of defense to prevent sql injection. We use other methods to prevent a full sql injection.

The problem is that when we collect data to collect the HTTP message message and just grab the password from user input, OWASP and send it. Therefore, the password is incorrect.

Example: Password freddie $ cougar becomes freddie & 36; cougar

What we ended up assuming was that the text field with 50 characters did not have enough space to make a lot of sql injections and changed the code, so we did not enter the OWASP password. This is a little scary.

Is this the best way?

The code is written in vbScript.

+3

sql sql-injection vbscript asp-classic owasp

crackedcornjimmy Sep 03 '10 at 17:08

source share

4 answers

.

12- , , :)

+4

RedFilter 03 . '10 17:10

? . SQL- " ".

, . vbscripts , , script .

+3

Franci Penov 03 . '10 17:13

, - , . , (, , ). , , , , - , "IHateNoPunctSites".

base-64? , , , , , . , , , . - , . .

+1

Jonathan Leffler 03 . '10 17:18

p.campbell · Accepted Answer · 2010-09-03T17:11:59+0000

Think about porting your SQL statements to stored procedures and make sure that you are not using dynamic SQL in these stored procedures.

Dim userPwd = Trim(Request.QueryString("userPwd"))
'--- Create and append parameter for Password
Set pwdParameter = cmd.CreateParameter("@UserPassword", ad_nVarChar, adParamInput, 50, userPwd)
cmd.Parameters.Append pwdParameter

Also, it’s best not to even store pwd in your database, but rather a salty hash.

, , , adhoc SQL-, SQL .

How to prevent "DROP BOBBY TABLES" when a user enters a password with special characters?

More articles: