Page 1 of 1

SQL injection protection

Posted: Mon Jul 24, 2006 2:20 pm
by OldJames
I'm writing a small bulletin board system for a pre-existing code base. Im to use a pre-existing uthentication class. this class uses URLEncode() on the user name to avoid any malicious code being injected. Is URLEncode sufficient in this case? Is there a way that a malicious user could still perform an exploit in the user field to gain un-authenticated access?
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.

Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.

Thanks boys and girls.

Posted: Mon Jul 24, 2006 2:33 pm
by feyd
We've talked about injection in many threads on this board. Have a read through them. You may find some nice solutions and answers to your questions. :)

Posted: Mon Jul 24, 2006 2:48 pm
by John Cartwright
Key terms: sql injection and and xss injection