General ANti SQL Injection measures?

The Forum has been Updated

The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.

General ANti SQL Injection measures? - Posted 24 Jan 2010 11:43 (1377 Views)

kyodai

New Member

Posts: 74

Hi folks,

just working on an online RPG that is integrated into my forums.
I noticed the usual method to grasp strings or integers like this

Code:

if Request.QueryString("moveloc") <> "" then
	myMoveloc = Request.QueryString("moveloc")
end if
strSql = "SELECT K

is terribly vulnerable for SQL injection if you add like

Code:

1';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

to the plece where there is usual the location number in the url(Yeah i know that isnt syntactically correct, but you get what i mean).
So i filter for that with like

Code:

if instr(myMoveloc, "'") then
	myMoveloc = ""
end if

But i think that ' isn't the only character that can be used for sql injection (prolly some URL escape characters or so should be filtered as well). How can i filter out all of them?

Edit: OK i now filter out ' ; = " and * as i feel these should not appear normally in a value that can only hold integers. Should i also add SQL commands like "SELECT", "DROP", "UPDATE" and so on to be sure???

Code:


if Request.QueryString("moveloc") <> "" then
'pipe it into myMoveloc
'we move
	myMoveloc = Request.QueryString("moveloc")
	if instr(myMoveloc, "'") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, ";") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, """") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "*") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "=") then
	myMoveloc = ""
	end if
	
	strSql = "SELECT