I'm working on a link-shrinker (http://ls.oxle.com) but I guess I'm creating a problem (possibly vulnerability).
On the first page anyone (and I mean everybody) can enter url, that's added to the db with this code:
sqlstr = "INSERT INTO links (title, description, url, catid, datein, active, hits) SELECT '"_
& strTheTitle & "' AS title,'nix' AS description,'" _
& Request.Form("url") & "' AS url,1 AS catid, #"&date&"# AS datein, "& active &" AS active, 0 AS hits;"
objConn.Execute (sqlstr)
I guess, that since the request.form isn't checked, it can be abused by sql injection methods.
So, I'm looking for a method that prevents abuse, but that still enables any URL to be inserted (and retrieved correctly later on).
Any hints?
Topic Locked
Posted - 14 February 2005 : 14:57:28
