Prevent SQL injection error

[S N]

Kindly provide me with a standard vbscript code which i can insert in my asp
search page such that it eliminates sql injection error.

uandme72

 

[Bob Barrows]

Kindly provide me with a standard vbscript code which i can insert in
my asp search page such that it eliminates sql injection error.

http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

See here for a better, more secure way to execute your queries by using
parameter markers (tokens):
http://groups-beta.google.com/group/microsoft.public.inetserver.asp.db/msg/72e36562fee7804e

Personally, I prefer using stored procedures, or saved parameter queries
as they are known in Access:

Access:
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&[email protected]

http://groups.google.com/groups?hl=...=1&[email protected]

SQL Server:
http://groups.google.com/group/microsoft.public.inetserver.asp.general/msg/5d3c9d4409dc1701?hl=en

 

[S N]

How about using the following function in the code to prevent sql injection.

Private Function SQLInjectionBlock(ByVal blnLogBadRequest, ByVal strBuffer,
ByVal enmStrength)

Dim blnAlreadyLogged

Dim arrExtended

Dim arrCommon

Dim lngID

'--Make sure we have a valid buffer before working with it

If Trim(strBuffer) = "" Then

Exit Function

End If

'--Setup the common array values (you can modify as needed)

arrCommon = Array("'", """", ";", "*", ",", "--", "(", ")", "=")

'--Setup the extended array values (you can modify as needed, I just setup a
few)

'--

'--Please note that the high strngth could have undesired effects.

'--If someone has a dog named "Thor" and they use that as a username then

'--it will be striped to "Th" so be careful.

'--

arrExtended = Array("SELECT", "FROM", "WHERE", "AND", "OR")

'--Clear any and all instances of the of the buffer that match the

'--the common array

For lngID = lBound(arrCommon) To uBound(arrCommon)

'--If we are logging this and it has not already been logged and the

'--buffer contains a match then log it

If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
arrCommon(lngID)) > 0 Then

Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

blnAlreadyLogged = True

End If

strBuffer = Replace(strBuffer, arrCommon(lngID), "")

Next

'--If the extra strngth is requested, then setup that array too

If enmStrength > 0 Then

'--Clear any and all instances of the of the buffer that match the

'--the extended array

For lngID = lBound(arrExtended) To uBound(arrExtended)

'--If we are logging this and it has not already been logged and the

'--buffer contains a match then log it

If blnLogBadRequest And Not blnAlreadyLogged And InStr(1, strBuffer,
arrCommon(lngID)) > 0 Then

Call AppendSecurityLog("SQL Injection - (" & strBuffer & ")")

blnAlreadyLogged = True

End If

strBuffer = Replace(strBuffer, arrExtended(lngID), "")

Next

End If

'--Return the modified buffer

SQLInjectionBlock = strBuffer

'--Clear the resources used by the arrays

Erase arrCommon

Erase arrExtended

End Function

 

[Bob Barrows]

How about using the following function in the code to prevent sql
injection.

<snip of a typical filter function>

It might help against a less-determined hacker*, but the only way to
absolutely prevent sql injection is to stop using dynamic sql. Without
dynamic sql, injecting unwanted sql is almost impossible. Secondary sql
injection is still possible, so you do have to be careful with values
retrieved from a database that were entered via user input. No data entered
by users should be trusted.

I really cannot understand this love affair that people have with dynamic
sql, when it is so easy to use parameters. Dynamic sql is hard! Having to
deal with delimiters, quotes in the data, etc. ... it's no wonder that
dynamic sql questions were so common in these groups up to a few years ago.
Using parameters does away with all those issues. It amazes me that this is
not the tool of first resort when teaching beginners how to program with
databases.

There is only one situation where dynamic sql is necessary, and that is
where database objects (table or column names) referred to in a sql
statement need to be variable. In that situation, it is possible to prevent
sql injection by validating the data passed from the user contains nothing
more than the expected object names.


* and if you read the comments in the function you will see that it might
prevent the entry of innocent data.