We have a website www.mitre.net
Within it we have a Company Search facility which accesses a MySql database.
In the Company Name box users have to enter a minimum of three characters
and then select a location.
We have just discovered that if a user enters %%% they are presented with a
list of all the companies in a selected location!
Is there an easy way to prevent this?
Regards
Chris Curtis
Chris Curtis wrote on 30 jun 2005 in microsoft.public.inetserver.asp.db:
> We have a website www.mitre.net
> Within it we have a Company Search facility which accesses a MySql
> database. In the Company Name box users have to enter a minimum of
> three characters and then select a location.
> We have just discovered that if a user enters %%% they are presented
> with a list of all the companies in a selected location!
>
> Is there an easy way to prevent this?
>
<%
' vbs
searchstring = replace(searchstring,"%"," ")
%>
--
Evertjan.
The Netherlands.
(Replace all crosses with dots in my emailaddress)
Chris Curtis wrote:
> We have a website www.mitre.net
> Within it we have a Company Search facility which accesses a MySql
> database. In the Company Name box users have to enter a minimum of
> three characters and then select a location.
> We have just discovered that if a user enters %%% they are presented
> with a list of all the companies in a selected location!
>
Without seeing your code or your query, we can't get specific, so here are
some generic pieces of adfice that may influence this behavior:
Due to the dangers of sql injection -
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection. pdf
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
don't use dynamic sql. Use parameters instead -
http://groups-beta.google.com/group/microsoft.public.inetser ver.asp.db/msg/72e36562fee7804e
If MySQL supports stored procedures, then see this link:
http://tinyurl.com/jyy0
If you don't want wildcard searches, don't use the LIKE keyword in your
query.
As Evertjian suggests, validate your user input before passing it to your
query, regardless of which technique you use to pass the input to your
query.
Bob barrows
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
You could just validate the string entered by the user and return an error
message if he enters %%%.
"Chris Curtis"
news:OCFjG4UfFHA.1412@TK2MSFTNGP09.phx.gbl...
> We have a website www.mitre.net
> Within it we have a Company Search facility which accesses a MySql
> database.
> In the Company Name box users have to enter a minimum of three characters
> and then select a location.
> We have just discovered that if a user enters %%% they are presented with
> a list of all the companies in a selected location!
>
> Is there an easy way to prevent this?
>
> Regards
> Chris Curtis
>
>
"Raymond D'Anjou"
news:eVoIrKXfFHA.1480@TK2MSFTNGP10.phx.gbl...
> You could just validate the string entered by the user and return an error
> message if he enters %%%.
>
> "Chris Curtis"
> news:OCFjG4UfFHA.1412@TK2MSFTNGP09.phx.gbl...
>> We have a website www.mitre.net
>> Within it we have a Company Search facility which accesses a MySql
>> database.
>> In the Company Name box users have to enter a minimum of three characters
>> and then select a location.
>> We have just discovered that if a user enters %%% they are presented with
>> a list of all the companies in a selected location!
>>
>> Is there an easy way to prevent this?
>>
>> Regards
>> Chris Curtis
>>
>>
Many thanks one and all!!
Chris