sql injection is caused by this kind of code
ASP:
dim rs = new recordset("SELECT somecolumn FROM sometable WHERE id=" & request.querystring("id"))
This is vulnarable to sql injection as the request.querystring is directly used into SQL
The solution is to replace all request.querystring("id") to replace(request.querystring("id"),"'","''")
The ' is replaced with ''.
That will work. Better use a wrapper function to achieve this.
Another aproach is to use a db_reader account for your website instead of dbowner
Kind regards, Nico Lubbers
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
