ASP
Here you can find some FREE usefull Classic ASP / VBScript code snippets, class modules, etc.
Procedure ScanVar (String)
Scan a variable for SQL Injection attempts.
Example
You should always use this when using a variable provided by a user input is used on a SQL query. <% Dim id, cn id = request.form("id") ScanVar id ' if a SQL injection is attemped the code execution will stop here Set cn = Server.CreateObject("adodb.connection") cn.Open "Your Connection String" cn.Execute "SELECT * FROM MY_DB WHERE ID='" & id & "'" cn.Close Set cn = Nothing %> Source Code <%
sub ScanVar(byval s) dim p,flg p=instr(s,";") if p>0 then flg=true: s=ucase(replace(s," ","")) if instr(p,s,"EXEC(")>0 then elseif instr(p,s,"DECLARE@")>0 then elseif instr(p,s,"SELECT ")>0 then elseif instr(p,s,"DELETE ")>0 then elseif instr(p,s,"UPDATE ")>0 then elseif instr(p,s,"DROP ")>0 then elseif instr(p,s,"TRUNCATE")=0 then flg=false end if if flg then ' do whatever you want here. I find that an immediate code break ' without any kind of response is the best way to handle this response.end end if end if end sub %> |