protect against sql injection
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=1008
Printed Date: 31 March 2026 at 2:58pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: protect against sql injection
Posted By: pedalcars
Subject: protect against sql injection
Date Posted: 14 March 2003 at 9:11am
|
Having read a number of articles about SQL injection attacks, I've seen various advice about replacing the "'" (single quote) character in arguments (simple) and also a recomendation that arguments should only be numeric (most of mine are already, and thanks to MorningZ for the function that guarantees a numeric return); failing that arguments should only contain alphanumeric characters.
A couple of arguments I currently have (and would like to keep) in alphabetic characters, plus the underscore in some cases, eg, "venue" or "venue_name" In this case, I want to ensure that only letters and the underscore can be returned from the query string; can anyone point me at a function that can do this? Thanks ------------- http://www.pedalcars.info/ - www.pedalcars.info The most fun on four wheels 
|
Replies:
Posted By: michael
Date Posted: 14 March 2003 at 10:12am
|
You can use Regular Expressions. The following should do what you are looking for. Only Allows alpha and underscore. The functions returns true or false. Function ValidateMe(Expression) Use like |
Posted By: pedalcars
Date Posted: 14 March 2003 at 10:38am
|
Brilliant, thanks, I'll give it a go.
------------- http://www.pedalcars.info/ - www.pedalcars.info The most fun on four wheels
|
Posted By: MorningZ
Date Posted: 14 March 2003 at 10:54am
|
I use something a little more flexible
and btw, thats not a SQL Injection issue since they aren't going to hose the SQL query, but sounds just like you just want to validate some data Here's another common function that i wrote/use for a situation like you are looking for, the "i_xtra" parameter allows you to let any non-alpha character flow through as well Function CheckAlpha( i_string, i_xtra ) Dim temp, strAllow temp = True strAllow = "abcdefghijklmnopqrstuvwxyz" if i_xtra <> "" then strAllow = strAllow & i_xtra For i = 1 to Len( i_string ) If InStr( strAllow, Lcase( Mid( i_string, i, 1 ) ) ) = 0 then temp = False exit for end if Next CheckAlpha = temp end function CheckAlpha( "jimbobjoe", "" ) returns true CheckAlpha( "jim bob joe", "" ) returns false CheckAlpha( "jim bob joe", " " ) returns true CheckAlpha( "jim_bob joe", " " ) returns false CheckAlpha( "jim_bob joe", " _" ) returns true ------------- Contribute to the working anarchy we fondly call the Internet |
Posted By: meteor
Date Posted: 05 June 2004 at 8:18am
|
how about "OR AND = > <" can this letters make SQL injection. what is Complete Function to Checking Some String inputed from users For SQL injection.like Checking For Name and Password? Like => isInjection(StringInputed) Return False and true?( ------------- Sincerely -------------------- http://www.TacPlusPlus.com - PowerFull Scripts For NTTacPlus |
)Posted By: meteor
Date Posted: 11 June 2004 at 7:04am
|
i read about SQL injection , is this Function good for testing strings inputed? Function isSQLinjection(Input) ------------- Sincerely -------------------- http://www.TacPlusPlus.com - PowerFull Scripts For NTTacPlus |