Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Development (2000)
 SQL INJECTION

Author  Topic 

gpiva
Starting Member

47 Posts
Posted - 2004-10-27 : 21:18:01
Anybody can suggest me some code to prevent SQL injection on a login page?

Any help will be appreciate.

Thank you.

scullee
Posting Yak Master

103 Posts
Posted - 2004-10-27 : 21:31:54
Use a stored procedure to handle the login and just return a success or not.

Inside the stored procedure, return the password from the database into a variable, then compare it directly to the one passed, that way if they add something to the username or password the comparison will fail.

Other options are to remove ' and ' or ' from the string before the comparison.

The safest way is not to use dynamic sql and to use parameters.
Go to Top of Page

gpiva
Starting Member

47 Posts
Posted - 2004-10-27 : 21:41:47
Thank you.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site