View Single Post
Old 07-29-08, 08:12 AM   #3
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: SQL Injection Attacks on ASP/ASP .net

Quote:
Originally Posted by tornadog View Post
Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!
arent you escaping the strings?

dont know how to do it in asp.net, but i know in PHP there are functions to do so. you may need to write your function to do it.

EDIT:

here http://msdn.microsoft.com/en-us/library/ms998271.aspx

did you guys put a page up without escaping the user input? jeeze, that's security 101.
ViN86 is offline   Reply With Quote