473,835 Members | 1,727 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Protection against SQL Injection Attack

sashi
1,754 Recognized Expert Top Contributor
hi everyone,

Below is a simple function that will give you some protection against an SQL Injection attempt.

what is SQL injection?
SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of variables embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Expand|Select|Wrap|Line Numbers
  1. 'Function IllegalChars to guard against SQL injection
  2. Function IllegalChars(sInput) 
  3. 'Declare variables 
  4. Dim sBadChars, iCounter 
  5. 'Set IllegalChars to False 
  6. IllegalChars=False
  7. 'Create an array of illegal characters and words 
  8. sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
  9. "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") 
  10. 'Loop through array sBadChars using our counter & UBound function
  11. For iCounter = 0 to uBound(sBadChars) 
  12. 'Use Function Instr to check presence of illegal character in our variable
  13. If Instr(sInput,sBadChars(iCounter))>0 Then
  14. IllegalChars=True
  15. End If
  16. Next 
  17. End function
  18.  
sample usage..
Expand|Select|Wrap|Line Numbers
  1. <% 
  2. 'Declare variables 
  3. Dim sUsername, sPassword
  4. 'retrieve our form textbox values and assign to variables 
  5. sUsername=Request.Form("txtUsername")
  6. sPassword=Request.Form("txtPassword")
  7.  
  8. 'Call the function IllegalChars to check for illegal characters
  9. If IllegalChars(sUsername)=True OR IllegalChars(sPassword)=True Then
  10. Response.redirect("no_access.asp")
  11. End If
  12. %>
  13.  
Jul 19 '06 #1
2 10696
vladnz
1 New Member
hi everyone,

Below is a simple function that will give you some protection against an SQL Injection attempt.

what is SQL injection?
SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of variables embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Expand|Select|Wrap|Line Numbers
  1. 'Function IllegalChars to guard against SQL injection
  2. Function IllegalChars(sInput) 
  3. 'Declare variables 
  4. Dim sBadChars, iCounter 
  5. 'Set IllegalChars to False 
  6. IllegalChars=False
  7. 'Create an array of illegal characters and words 
  8. sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
  9. "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") 
  10. 'Loop through array sBadChars using our counter & UBound function
  11. For iCounter = 0 to uBound(sBadChars) 
  12. 'Use Function Instr to check presence of illegal character in our variable
  13. If Instr(sInput,sBadChars(iCounter))>0 Then
  14. IllegalChars=True
  15. End If
  16. Next 
  17. End function
  18.  
sample usage..
Expand|Select|Wrap|Line Numbers
  1. <% 
  2. 'Declare variables 
  3. Dim sUsername, sPassword
  4. 'retrieve our form textbox values and assign to variables 
  5. sUsername=Request.Form("txtUsername")
  6. sPassword=Request.Form("txtPassword")
  7.  
  8. 'Call the function IllegalChars to check for illegal characters
  9. If IllegalChars(sUsername)=True OR IllegalChars(sPassword)=True Then
  10. Response.redirect("no_access.asp")
  11. End If
  12. %>
  13.  

could you please be more detailed? i mean just write php code please?
Jun 18 '07 #2
tombowers
1 New Member
Here's a very light ASP function to help protect against these attacks.

ASP sql injection prevention
Aug 7 '08 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

75
8284
by: Massimo | last post by:
I'm planning to develop a .NET application using C#, in order to sell it as a shareware and/or as a full package, so I'll need a good way to protect it against piracy. I know some ways to protect it (activation, serial keys, etc.), but my concern is: how can any copy protection mechanism work when you can always disassemble it and read the source code? Even if I use a native C++ DLL for my copy protection, the point where it's called from...
11
2639
by: Bă§TăRĐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to test the security of the site with Cross-Site...
13
2837
by: Ioannis Vranos | last post by:
If we want our programs to be protected against buffer overflows, must we check the size of the various containers explicitly? E.g. #include <iostream> #include <string> int main()
7
1738
by: joshsackett | last post by:
All, I am trying to test an attack against a web page. The VBScript runs 2 queries against the database; the first must succeed before the second runs. Here is the code: 1st- select * from users where (userid=' + @string + ') and password=' + @pwdstring + ' 2nd-
4
1656
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can trace such an attack?
10
23929
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages. Thanks.
1
2895
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate stored procs for them dynamically based off input from them. I wanted to add a "parser" functionality where based off the table and where clause they choose, the app will parse the query to see if it's valid. So I'm building a query something like this to run:
17
2573
by: anojjona | last post by:
Hi, I need to figure out what some code that was maliciously executed against a database does. However, it's in a very strange format. It simply declares a variable and sets it equal to a huge binary thing (seems to be some sort of compiled code) cast as nvarchar. It then executes this variable. Is there any way to decipher or decompile this code? Does anyone have information either on what SQL Server does when it's asked to execute...
16
4452
by: ChipR | last post by:
Since we're talking about filters, make sure you also use a filter for semicolons (at the minimum) on any input that is going directly into an SQL statement to prevent your entire database from being deleted. See SQL Injection Attack. Admin Edit. This discussion was split off from the original thread, which can be found at Force .DefaultValue to be a string.
0
9800
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10802
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10516
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10557
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10225
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
7763
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6961
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5802
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
3987
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.