Caveatrob
Reputation: 13287
SQL injection on Classic ASP pages with parameterized queries: text fields
I've parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.
Upvotes: 3
Views: 1274
Answers (2)
Aykut Akıncı
Reputation: 1302
Not all sql stored procs are injection safe
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
Upvotes: 2
Rubens Farias
Reputation: 57996
If you use parametrized queries, you're safe against SQL injection attacks.
But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.
Upvotes: 6
Related Questions
- How do I run a parameterized SQL query in classic ASP? And is it secure?
- Prevent SQL injection on free response text fields in classic ASP
- SQL Injection vulnerablities in ASP script
- Does this open the door for SQL Injection?
- prevent sql-injection in asp.net
- Classic ASP SQL Injection
- classic ASP protection against SQL injection
- Sql injection script
- Using an asp page to set flags for sql or any way to avoid a sql injection
- Preventing SQL Injection in SQL Server TEXT fields using Classic ASP