Yes...and no... it depends because attacker may use 3 ' and your code won't be able to remove them.
One thing you can do is simply use this code (change it to fit your needs)

private function filterfield(strTemp)
                dim i,replace_char,char2replace
                strTemp=trim(strTemp)
                '**************** Change the replace_char string by removing/adding characters you able/unable *********
                replace_char="!#$%&'()*+,/:;<=>?[\]^`{|}~" & chr(34)
                for i=1 to len(replace_char)
                        char2replace=mid(replace_char,i,1)
                        strTemp=replace(strTemp,char2replace,"")
                next
                filterfield=strTemp
end function

session_user=filterfield(Session("User"))

Cedric

-----Message d'origine-----
De: Thomas Springer [SMTP:tuevserveraudit.net]
Date: mercredi 5 juin 2002 15:13
A: webappsecsecurityfocus.com
Objet: inputvalidation against sql-injection

a question about input validation in .asp-pages:

SQL = "SELECT CID FROM Customer WHERE C_NO = '" &
Replace(Session("User"),"'","''") & "'"

replaces a single ' with '', thus preventing sql-injection.

is this input-validation enough to keep people away from using things like
' and 1=1--
or are there ways to get round this input-validation and inject sql-code to
a iis/mssql-server ?

ts

Thomas Springer

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]