*'s being appended to the word 'or'

Oct 8, 2008 at 9:53 AM
Hi there,

Installed the ISAPI filter yesterday after a minor SQL injection hack.
Installation went smoothly and everything works as it should except that all instances of the word 'or' are replaced with '*or*'.

Firstly is this a valid observation from a successful install ?

and secondly is there anyway to get around this without stripping it out manually for every insert ?

Thanks,
V
Coordinator
Oct 8, 2008 at 2:44 PM
Hi V,

This is by design. The idea is to protect against privacy attacks like:
sql = "select * from table1 where id=" & request("id")

and id = "0 or 1=1"

then
select * from table1 where id=0 or 1=1 would result in returning all rows.

Thanks,

Rodney