I’ve got some free-response text fields and I’m not sure how to scrub them to prevent SQL injection. Any ideas?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve got some free-response text fields and I’m not sure how to scrub them to prevent SQL injection. Any ideas?
Create a parameterized query instead of concatenating the user’s input into the query.
Here is how to do this in classic asp:
http://blog.binarybooyah.com/blog/post/Classic-ASP-data-access-using-parameterized-SQL.aspx
It’s also important to note that the only way you can be 100% safe from sql injection is to parameterize any sql statement that uses user input, even once it’s in the database. Example: Say you take user input via a parameterized query or stored procedure. You will be safe on the insert, however you need to make sure that anything down the road that uses that input also uses a parameter. Directly concatenating user input is a bad idea anywhere, including inside the db.