Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Code Support: ASP (Non-Forum Related)
 Most efficient SQL input function		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

Astralis
Senior Member

USA
1218 Posts
Posted - 14 January 2005 :  03:06:23  Show Profile  Send Astralis a Yahoo! Message
Would anyone share their preferred SQL input function?

Please make sure it includes code that checks for SQL injection.

This is the one I'm thinking of using. Do you think it's complete?

Private Function formatSQLInput(ByVal strInputEntry)

	'Remove malisous charcters
	strInputEntry = Replace(strInputEntry, "<", "<")
	strInputEntry = Replace(strInputEntry, ">", ">")
	strInputEntry = Replace(strInputEntry, """", "", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "=", "#061;", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "'", "''", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "select", "sel#101;ct", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "join", "jo#105;n", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "union", "un#105;on", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "where", "wh#101;re", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "insert", "ins#101;rt", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "delete", "del#101;te", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "update", "up#100;ate", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "like", "lik#101;", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "drop", "dro#112;", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "create", "cr#101;ate", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "modify", "mod#105;fy", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "rename", "ren#097;me", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "alter", "alt#101;r", 1, -1, 1)
	strInputEntry = Replace(strInputEntry, "cast", "ca#115;t", 1, -1, 1)

	'Return
	formatSQLInput = strInputEntry
End Function
Edited by - Astralis on 14 January 2005 03:06:54

Astralis
Senior Member

USA
1218 Posts
Posted - 15 January 2005 :  00:12:46  Show Profile  Send Astralis a Yahoo! Message
Anyone?
Go to Top of Page

Hamlin
Advanced Member

United Kingdom
2386 Posts
Posted - 15 January 2005 :  06:17:01  Show Profile
I just check for '. Dont worry about anyhing else.
Go to Top of Page

Astralis
Senior Member

USA
1218 Posts
Posted - 15 January 2005 :  17:58:33  Show Profile  Send Astralis a Yahoo! Message
Why?
Go to Top of Page

pweighill
Junior Member

United Kingdom
453 Posts
Posted - 16 January 2005 :  03:48:12  Show Profile
Two functions:

Function SQLString(pstrData)
    SQLString = Replace(pstrData,"'","''")
End Function

Function SQLNumber(pstrData)
    Dim intLoop

    For intLoop = Len(pstrData) To 0 Step -1
        If intLoop = 0 Then
            SQLNumber = 0
            Exit Function
        End If
        If IsNumeric(Left(pstrData, intLoop)) Then
            SQLNumber = CDbl(Left(pstrData, intLoop))
            Exit Function
        End If
    Next
End Function
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.29 seconds. Powered By: Snitz Forums 2000 Version 3.4.07