SQL injection protection
Posted: Mon Jul 24, 2006 2:20 pm
I'm writing a small bulletin board system for a pre-existing code base. Im to use a pre-existing uthentication class. this class uses URLEncode() on the user name to avoid any malicious code being injected. Is URLEncode sufficient in this case? Is there a way that a malicious user could still perform an exploit in the user field to gain un-authenticated access?
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.
Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.
Thanks boys and girls.
I know that an addition SQL query has spaces so that thats not a problem. but I'm sure i read somewhere that you can encode special characters to bypass url encoding. IE. to pass in a single quote or something similar.
Any ideas and sugestions would be appreciated. I dont think i can modify the existing code without good cause.
Thanks boys and girls.