messing with data on post

May 21, 2008 at 12:39 PM
as per previous posts, i've inherited a site with some bad coding and it was hit by sql injection. rather than "fix" all of the pages i wanted to use the filter.

however, i have now found that it's causing some problems on insert.

OR in text fields is changed to **or** and single quotes are changed to three single quotes (i thought it would change to \' ?? )

Coordinator
May 21, 2008 at 6:39 PM
Hi Andy,

The ISAPI is doing what it was designed to do.
 
1. "or" is replaced by "*or*" to avoid privacy problems like in the following case:

Id=Request("Id")
SqlComm = "select * from client where clientID=" & Id

If you put "50 or 1=1" in the input field the resulting SQL command will be:
select * from client where clientID=50 or 1=1 (it will return all rows)

With the filter:
select * from client where clientID=50 *or* 1=1 (returns an error)

2. ' is replaced by '' for SQL Server. \' is not compatible with SQL Server (are you trying to use MySQL instead?)

The source code is available and you can change the patterns you want. You can adapt it to MySQL if it is the case. I am working in a new version which will enable changing parameters for those not familiar with C++. I don't know when I will publish it though. Meanwhile if you need help changing the code let me know.

Thanks,

Rodney 

andyknas wrote:
as per previous posts, i've inherited a site with some bad coding and it was hit by sql injection. rather than "fix" all of the pages i wanted to use the filter.

however, i have now found that it's causing some problems on insert.

OR in text fields is changed to **or** and single quotes are changed to three single quotes (i thought it would change to \' ?? )