dbWriter Preventing SQL Injection Attacks ASP code
Trusting user input can prove fatal to SQL via SQL injection... code
inserted in input html input boxes. All user inputs must be
checked before adding or deleting data from your database. SQL
injection attacks often use potentially hazardous characters to "inject"
into a sql statement. They take advantage of code that does not filter
input that is being entered directly into a form or a query string.
NEVER trust anything your users input.
DIM strUsername, strPassword
strUsername=Request.Form("txtUsername")
strPassword=Request.Form("txtPassword")
single quote clean up is first
strUsername=replace(strUsername,"'","''")
strPassword=replace(strPassword,"'","''")
Then, call the function SQLcheck to check for illegal characters
If SQLcheck(strUsername)=True OR SQLcheck(strPassword)=True Then
Response.redirect("error.asp")
End If
<%
Function SQLcheck(strInput)
DIM sBadChars, iCounter
SQLcheck=False
'Array of illegal characters and words
arrBadChars=array("select", "drop", ";", "--", "insert",
"delete", "xp_", _
"#", "%", "&","(", ")", "/", "\", ":", ";", "<", ">", "=", "[",
"]", "?", "`", "|")
'Loop through array arrBadChars
For iCounter = 0 to uBound(arrBadChars)
If Instr(strInput,arrBadChars(iCounter))>0 Then
SQLcheck=True
End If
Next
End function
%> |
|
