RSS Feeds :: DEVPPL - Forums > Script-archive TOGETHER WE ARE THE BEST http://www.devppl.com/forum en-gb Tue, 17 Aug 2004 14:07:13 +0100 Mon, 23 Nov 2009 19:07:01 +0000 http://blogs.law.harvard.edu/tech/rss MSSTI v0.0.1 - (C) 2008 leviatan21 - http://www.mssti.com/ Copyright : (c) RSS Feeds :: DEVPPL - Tue, 17 Aug 2004 14:07:13 +0100 webmaster@devppl.com (DEVPPL) RSS Feeds :: DEVPPL - Forums > Script-archive http://www.devppl.com/forum/styles/DEVPPL-v2/imageset/site_logo.gif http://www.devppl.com/forum 60 ASP Security Issues http://www.devppl.com/forum/./viewtopic.php?p=1054#p1054 Never trust user input to be of an appropriate size or contain appropriate characters. Always verify user input before using it to make decisions. The best option is to create a COM+ component which you can call from an ASP page to verify user input. You can also use the Server.HTMLEncode method, the Server.URLEncode method, or one of the code examples at the bottom of this page.


Do not create database connection strings in an ASP page by concatenating strings of user input together. A malicious attacker can inject code in their input to gain access to your database. If you are using a SQL database, use stored procedures for creating database connection strings


Do not use the default SQL administrator account name, sa. Everyone who uses SQL knows that the sa account exists. Create a different SQL administrative account with a strong password and delete the sa account.


...

Statistics : Posted by techyashish • on Thu Oct 07, 2004 6:46 pm • Replies 0 • Views 2816

]]> Never trust user input to be of an appropriate size or contain appropriate characters. Always verify user input before using it to make decisions. The best option is to create a COM+ component which you can call from an ASP page to verify user input. You can also use the Server.HTMLEncode method, the Server.URLEncode method, or one of the code examples at the bottom of this page.


Do not create database connection strings in an ASP page by concatenating strings of user input together. A malicious attacker can inject code in their input to gain access to your database. If you are using a SQL database, use stored procedures for creating database connection strings


Do not use the default SQL administrator account name, sa. Everyone who uses SQL knows that the sa account exists. Create a different SQL administrative account with a strong password and delete the sa account.


...]]> 2004-10-07T18:46:32+01:00 http://www.devppl.com/forum/./viewtopic.php?p=1054#p1054