Prevent SQL injection error

Discussion in 'ASP General' started by S N, May 1, 2009.

  1. S N

    S N Guest

    Kindly provide me with a standard vbscript code which i can insert in my asp
    search page such that it eliminates sql injection error.

    uandme72
    S N, May 1, 2009
    #1
    1. Advertising

  2. S N

    Bob Barrows Guest

    S N wrote:
    > Kindly provide me with a standard vbscript code which i can insert in
    > my asp search page such that it eliminates sql injection error.
    >

    http://mvp.unixwiz.net/techtips/sql-injection.html
    http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

    See here for a better, more secure way to execute your queries by using
    parameter markers (tokens):
    http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

    Personally, I prefer using stored procedures, or saved parameter queries
    as they are known in Access:

    Access:
    http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=

    http://groups.google.com/groups?hl=...=1&selm=

    SQL Server:
    http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en



    --
    HTH,
    Bob Barrows
    Bob Barrows, May 1, 2009
    #2
    1. Advertising

  3. S N

    S N Guest

    How about using the following function in the code to prevent sql injection.

    Private Function SQLInjectionBlock(ByVal blnLogBadRequest, ByVal strBuffer,
    ByVal enmStrength)

    Dim blnAlreadyLogged

    Dim arrExtended

    Dim arrCommon

    Dim lngID

    '--Make sure we have a valid buffer before working with it

    If Trim(strBuffer) = "" Then

    Exit Function

    End If

    '--Setup the common array values (you can modify as needed)

    arrCommon = Array("'", """", ";", "*", ",", "--", "(", ")", "=")

    '--Setup the extended array values (you can modify as needed, I just setup a
    few)

    '--

    '--Please note that the high strngth could have undesired effects.

    '--If someone has a dog named "Thor" and they use that as a username then

    '--it will be striped to "Th" so be careful.

    '--

    arrExtended = Array("SELECT", "FROM", "WHERE", "AND", "OR")

    '--Clear any and all instances of the of the buffer that match the

    '--the common array

    For lngID = lBound(arrCommon) To uBound(arrCommon)

    '--If we are logging this and it has not already been logged and the

    '--buffer contains a match then log it

    If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
    arrCommon(lngID)) > 0 Then

    Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

    blnAlreadyLogged = True

    End If

    strBuffer = Replace(strBuffer, arrCommon(lngID), "")

    Next

    '--If the extra strngth is requested, then setup that array too

    If enmStrength > 0 Then

    '--Clear any and all instances of the of the buffer that match the

    '--the extended array

    For lngID = lBound(arrExtended) To uBound(arrExtended)

    '--If we are logging this and it has not already been logged and the

    '--buffer contains a match then log it

    If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
    arrCommon(lngID)) > 0 Then

    Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

    blnAlreadyLogged = True

    End If

    strBuffer = Replace(strBuffer, arrExtended(lngID), "")

    Next

    End If

    '--Return the modified buffer

    SQLInjectionBlock = strBuffer

    '--Clear the resources used by the arrays

    Erase arrCommon

    Erase arrExtended

    End Function







    "Bob Barrows" <> wrote in message
    news:...
    >S N wrote:
    >> Kindly provide me with a standard vbscript code which i can insert in
    >> my asp search page such that it eliminates sql injection error.
    >>

    > http://mvp.unixwiz.net/techtips/sql-injection.html
    > http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
    >
    > See here for a better, more secure way to execute your queries by using
    > parameter markers (tokens):
    > http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e
    >
    > Personally, I prefer using stored procedures, or saved parameter queries
    > as they are known in Access:
    >
    > Access:
    > http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=
    >
    > http://groups.google.com/groups?hl=...=1&selm=
    >
    > SQL Server:
    > http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en
    >
    >
    >
    > --
    > HTH,
    > Bob Barrows
    >
    >
    S N, May 2, 2009
    #3
  4. S N

    Bob Barrows Guest

    S N wrote:
    > How about using the following function in the code to prevent sql
    > injection.

    <snip of a typical filter function>

    It might help against a less-determined hacker*, but the only way to
    absolutely prevent sql injection is to stop using dynamic sql. Without
    dynamic sql, injecting unwanted sql is almost impossible. Secondary sql
    injection is still possible, so you do have to be careful with values
    retrieved from a database that were entered via user input. No data entered
    by users should be trusted.

    I really cannot understand this love affair that people have with dynamic
    sql, when it is so easy to use parameters. Dynamic sql is hard! Having to
    deal with delimiters, quotes in the data, etc. ... it's no wonder that
    dynamic sql questions were so common in these groups up to a few years ago.
    Using parameters does away with all those issues. It amazes me that this is
    not the tool of first resort when teaching beginners how to program with
    databases.

    There is only one situation where dynamic sql is necessary, and that is
    where database objects (table or column names) referred to in a sql
    statement need to be variable. In that situation, it is possible to prevent
    sql injection by validating the data passed from the user contains nothing
    more than the expected object names.


    * and if you read the comments in the function you will see that it might
    prevent the entry of innocent data.
    --
    Microsoft MVP - ASP/ASP.NET - 2004-2007
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
    Bob Barrows, May 2, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    407
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,623
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. MattB

    SQL injection

    MattB, Mar 30, 2005, in forum: ASP .Net
    Replies:
    10
    Views:
    699
    Peter Blum
    Mar 31, 2005
  4. Ranginald
    Replies:
    10
    Views:
    868
    Ranginald
    Apr 27, 2006
  5. Replies:
    7
    Views:
    147
Loading...

Share This Page