Hi folks,
just working on an online RPG that is integrated into my forums.
I noticed the usual method to grasp strings or integers like this
if Request.QueryString("moveloc") <> "" then
myMoveloc = Request.QueryString("moveloc")
end if
strSql = "SELECT K
is terribly vulnerable for SQL injection if you add like 1';DROP TABLE users; SELECT * FROM data WHERE 't' = 't
to the plece where there is usual the location number in the url(Yeah i know that isnt syntactically correct, but you get what i mean).
So i filter for that with like
if instr(myMoveloc, "'") then
myMoveloc = ""
end if
But i think that ' isn't the only character that can be used for sql injection (prolly some URL escape characters or so should be filtered as well). How can i filter out all of them?
Edit: OK i now filter out ' ; = " and * as i feel these should not appear normally in a value that can only hold integers. Should i also add SQL commands like "SELECT", "DROP", "UPDATE" and so on to be sure???
if Request.QueryString("moveloc") <> "" then
'pipe it into myMoveloc
'we move
myMoveloc = Request.QueryString("moveloc")
if instr(myMoveloc, "'") then
myMoveloc = ""
end if
if instr(myMoveloc, ";") then
myMoveloc = ""
end if
if instr(myMoveloc, """") then
myMoveloc = ""
end if
if instr(myMoveloc, "*") then
myMoveloc = ""
end if
if instr(myMoveloc, "=") then
myMoveloc = ""
end if
strSql = "SELECT
General ANti SQL Injection measures?
Posted - 24 January 2010 : 11:43:11
