| Author |
 Topic Search  Topic Options
|
pedalcars 
Senior Member
Joined: 12 August 2002
Location: United Kingdom
Status: Offline
Points: 268
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: protect against sql injection
Posted: 14 March 2003 at 9:11am |
|
Having read a number of articles about SQL injection attacks, I've seen various advice about replacing the "'" (single quote) character in arguments (simple) and also a recomendation that arguments should only be numeric (most of mine are already, and thanks to MorningZ for the function that guarantees a numeric return); failing that arguments should only contain alphanumeric characters.
A couple of arguments I currently have (and would like to keep) in alphabetic characters, plus the underscore in some cases, eg, "venue" or "venue_name"
In this case, I want to ensure that only letters and the underscore can be returned from the query string; can anyone point me at a function that can do this?
Thanks
|
|
|
 |
michael
Senior Member
Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670
|
Post Options
Thanks(0)
Quote Reply
Posted: 14 March 2003 at 10:12am |
You can use Regular Expressions. The following should do what you are looking for. Only Allows alpha and underscore. The functions returns true or false.
Function ValidateMe(Expression)
Dim objRegExp
Set objRegExp = New RegExp
objRegExp.Pattern = "^[a-zA-Z\_]+$"
ValidateEmail = objRegExp.Test(Expression)
End Function
Use like
If ValidateMe(strWhatever) = False Then
'Raise your error
ELSE
Continue
END IF
|
|
pedalcars
Senior Member
Joined: 12 August 2002
Location: United Kingdom
Status: Offline
Points: 268
|
Post Options
Thanks(0)
Quote Reply
Posted: 14 March 2003 at 10:38am |
|
Brilliant, thanks, I'll give it a go.
|
|
|
|
MorningZ
Senior Member
Joined: 06 May 2002
Location: United States
Status: Offline
Points: 1793
|
Post Options
Thanks(0)
Quote Reply
Posted: 14 March 2003 at 10:54am |
|
I use something a little more flexible
and btw, thats not a SQL Injection issue since they aren't going to hose the SQL query, but sounds just like you just want to validate some data
Here's another common function that i wrote/use for a situation like you are looking for, the "i_xtra" parameter allows you to let any non-alpha character flow through as well
Function CheckAlpha( i_string, i_xtra )
Dim temp, strAllow
temp = True
strAllow = "abcdefghijklmnopqrstuvwxyz"
if i_xtra <> "" then strAllow = strAllow & i_xtra
For i = 1 to Len( i_string )
If InStr( strAllow, Lcase( Mid( i_string, i, 1 ) ) ) = 0 then
temp = False
exit for
end if
Next
CheckAlpha = temp
end function
CheckAlpha( "jimbobjoe", "" ) returns true
CheckAlpha( "jim bob joe", "" ) returns false
CheckAlpha( "jim bob joe", " " ) returns true
CheckAlpha( "jim_bob joe", " " ) returns false
CheckAlpha( "jim_bob joe", " _" ) returns true
|
|
Contribute to the working anarchy we fondly call the Internet
|
|
meteor
Groupie
Joined: 31 August 2003
Location: Iran
Status: Offline
Points: 67
|
Post Options
Thanks(0)
Quote Reply
Posted: 05 June 2004 at 8:18am |
how about "OR AND = > <" can this letters make SQL injection. what is Complete Function to Checking Some String inputed from users For SQL injection.like Checking For Name and Password?
Like => isInjection(StringInputed) Return False and true?( )
|
|
|
|
meteor
Groupie
Joined: 31 August 2003
Location: Iran
Status: Offline
Points: 67
|
Post Options
Thanks(0)
Quote Reply
Posted: 11 June 2004 at 7:04am |
i read about SQL injection , is this Function good for testing strings inputed?
Function isSQLinjection(Input)
if instr(1,input,"'",1) or instr(1,input,";",1) or instr(1,input,"--",1) then
isSQLinjection = True
else
isSQLinjection = False
end if
end function
|
|
|
|
