Home/ Questions/Q 1039713
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T15:08:03+00:00

In our ancient Classic ASP environment, we utilize OWASP to get the password from

  • 0

In our ancient Classic ASP environment, we utilize OWASP to get the password from the request object and encrypt non-alphanumeric characters. This is a first line of defense to preventing sql injection. We use other methods for full sql injection prevention.

The problem is, when we are collecting data to put together an HTTP post message and just grab the password from the user input, OWASP it and send it along. The password is therefore incorrect.

Example: Password freddie$cougar becomes freddie&36;cougar

What we ended up doing was assuming that a 50 character text field was not enough space to do much sql injection and changed the code so we didn’t OWASP the password coming in. This feels a bit scary.

Is their a better way?

The code is written in vbScript.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Consider moving your SQL statements to stored procedures, and ensure that you don’t use dynamic SQL within those stored procs.

    Dim userPwd = Trim(Request.QueryString("userPwd"))
'--- Create and append parameter for Password
Set pwdParameter = cmd.CreateParameter("@UserPassword", ad_nVarChar, adParamInput, 50, userPwd)
cmd.Parameters.Append pwdParameter

    Aside, it’s definitely best to not even store the pwd in your database, but rather a salted hash.

    The method above is preferred, no matter what string you’re sending to your database, as it’ll avoid executing directly as an adhoc statement, and will avoid SQL injection, as long as you’re not using the parameter with dynamic SQL within the stored proc.

    • 0