5 Replies Latest reply on Nov 19, 2010 9:29 AM by aonefun

    SQL Injection?

    aonefun Level 1

      If you go to http://www.canchair.com/customer_locator/customer_locator_postcode.asp

       

      and put in any postal code and then click submit, you will see a webpage that displays more than one column of customers listings. While the company names in the upper right column display properly, the ones in the left display as funny characters.

       

      Both company name recordset results feed off of the same Access database field so I'm not sure why this should be occurring.

       

      It just so happens that this was the first database upload done via my trial version of Dreamweaver CS5.

       

      Could this be SQL injection if partial results from the same database field (but different recordset) display fine?

        • 1. Re: SQL Injection?
          Level 4

          aonefun wrote:

           

          If you go to http://www.canchair.com/customer_locator/customer_locator_postcode.asp

           

          and put in any postal code and then click submit...

          That's not SQL injection. SQL injection is not if they put any postal code in, injection would be if they put the code and added additional characters into the form to inject your query. For instance, if the table was named products and in the postal code area someone entered the following instead of just a postal code:

           

           

          90210'; DROP TABLE products;

           

           

           

          Then your product table would be deleted. Use functions to sanitize your form data and prevent injection. It doesn't sound like SQL injection to me in this case, it sounds more likely that your data isn't properly formatted in the database.

          • 2. Re: SQL Injection?
            aonefun Level 1

            Brilliant!

             

            I have changed the filed type from text to memo in the recent weeks.

             

            This must have been the issue. I have changed it back and see if problem persists or not.

             

            thanks!!!!

            • 3. Re: SQL Injection?
              MurraySummers Level 8

              I don't think that change would make this difference, honestly.

              • 4. Re: SQL Injection?
                bregent Most Valuable Participant

                SQL injection? Why would you think that? I would think it was more to do with your output code. In any case, I don't see the problem you are referring to. Everything looks fine.

                 

                Edit: Weird. There were no other replies to this post when I was reading it. Looks like you got the problem solved.

                • 5. Re: SQL Injection?
                  aonefun Level 1

                  Yes! The issue is now resolved and it was remedied by the change of database field type change back from memo to text. But indeed it was more than that since the database of discussion was linked to the table that had the field type issue and was dependent on this data.

                   

                  The reason I suspected sql injection is simply due to ignorance.

                   

                  Thanks for everyone's responses which I don't know what I would do without!