Re: Strange beaviour in sql injection

[Mariusz Pekala <skoot () poczta onet pl>]

Dennis Hurst (wto 29. październik 2002 15:06):
> The proper way to do it would have been:
>       if IsNumeric(Request("passedID")) then
>               'all is well, build the SQL
>               sSql = "select * from myTable where ID = " &
> cstr(clng(Request("passedID")))
>               'do some database stuff here
>       else
>               'go away, your doing something bad....
>       end if
>
>
> Using the cstr(CLng()) functions will convert it to a numeric and back
> again, effectively
> Removing the SQL Injection.

Why not using a regular expression on raw request data?

/^[0-9]{1,8}$/ (or similiar, depends on language of the application) should
ensure that you'r dealing with numeric. (integer, if that's what you need).

I may be wrong, or may not understand it all, but I would rather not trust
functions that convert. They sometimes ignore/modify/guess.
If I check that the string my webapp received contains only numbers, and not
more than 9, then I may be SURE that there is no SQL injection here.

(Be gentle if I am saying something stupid or didn't understood what was
 going on :-))) )