SQL Injection

Dec 14 at 7:28am - admin

Recently there has been a rash of SQL injection due to the approach of the thugs who honestly have nothing better to do with their time. In the first code writer wanted the attempt to appear as if it really just worked and moved on. In the second the writers actually used a Response.Write warning. Though the code writers in the second clearly have more targeted regular expression, and is more focused to current attacks. We offer these code snippets which work, and have offered to others to save time.

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
End If
End function

(Author: Aalia Wayfare)

In example 2:

I put this function in place on every public page...

array_split_item = Array("-", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update", "<script", "/script>", "'")

for each item in Request.QueryString
   for array_counter = lbound(array_split_item) to ubound(array_split_item)
      item_postion1 = InStr(lcase(Request(item)),array_split_item(array_counter))
         if item_postion1 > 0  then
           Response.Write("Command cannot be executed.")
         end if

(Authors: Nick Jensen & Steve Kluskens)