Snitz Forums 2000

Snitz Forums 2000

All Forums

Community Forums

Code Support: ASP (Non-Forum Related)

General ANti SQL Injection measures?

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:

UserName:

Password:

Format Mode:

Format:

Message:

* HTML is OFF
* Forum Code is ON

Smilies

[quote][i]Originally posted by kyodai[/i]
[br]Hi folks,

just working on an online RPG that is integrated into my forums.

I noticed the usual method to grasp strings or integers like this

[code]if Request.QueryString("moveloc") <> "" then
	myMoveloc = Request.QueryString("moveloc")
end if
strSql = "SELECT K[/code]

is terribly vulnerable for SQL injection if you add like [code]1';DROP TABLE users; SELECT * FROM data WHERE 't' = 't[/code]  to the plece where there is usual the location number in the url(Yeah i know that isnt syntactically correct, but you get what i mean).

So i filter for that with like

[code]if instr(myMoveloc, "'") then
	myMoveloc = ""
end if[/code]

But i think that ' isn't the only character that can be used for sql injection (prolly some URL escape characters or so should be filtered as well). How can i filter out all of them?

Edit: OK i now filter out ' ; = " and * as i feel these should not appear normally in a value that can only hold integers. Should i also add SQL commands like "SELECT", "DROP", "UPDATE" and so on to be sure???

[code]
if Request.QueryString("moveloc") <> "" then
'pipe it into myMoveloc
'we move
	myMoveloc = Request.QueryString("moveloc")
	if instr(myMoveloc, "'") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, ";") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, """") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "*") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "=") then
	myMoveloc = ""
	end if
	
	strSql = "SELECT [/code]
[/quote]

Check here to include your profile signature.

T O P I C R E V I E W
kyodai	Posted - 24 January 2010 : 11:43:11 Hi folks, just working on an online RPG that is integrated into my forums. I noticed the usual method to grasp strings or integers like this if Request.QueryString("moveloc") <> "" then myMoveloc = Request.QueryString("moveloc") end if strSql = "SELECT K is terribly vulnerable for SQL injection if you add like 1';DROP TABLE users; SELECT * FROM data WHERE 't' = 't to the plece where there is usual the location number in the url(Yeah i know that isnt syntactically correct, but you get what i mean). So i filter for that with like if instr(myMoveloc, "'") then myMoveloc = "" end if But i think that ' isn't the only character that can be used for sql injection (prolly some URL escape characters or so should be filtered as well). How can i filter out all of them? Edit: OK i now filter out ' ; = " and * as i feel these should not appear normally in a value that can only hold integers. Should i also add SQL commands like "SELECT", "DROP", "UPDATE" and so on to be sure??? if Request.QueryString("moveloc") <> "" then 'pipe it into myMoveloc 'we move myMoveloc = Request.QueryString("moveloc") if instr(myMoveloc, "'") then myMoveloc = "" end if if instr(myMoveloc, ";") then myMoveloc = "" end if if instr(myMoveloc, """") then myMoveloc = "" end if if instr(myMoveloc, "*") then myMoveloc = "" end if if instr(myMoveloc, "=") then myMoveloc = "" end if strSql = "SELECT
2 L A T E S T R E P L I E S (Newest First)
kyodai	Posted - 24 January 2010 : 12:29:02 Whoa, thanks for posting, this is the best solution ever. =)
HuwR	Posted - 24 January 2010 : 12:03:23 http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx

Snitz Forums 2000

This page was generated in 0.04 seconds.