General ANti SQL Injection measures?

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/69142?pagenum=1
05 November 2025, 07:06

Topic

kyodai
General ANti SQL Injection measures?
24 January 2010, 11:43


Hi folks,

just working on an online RPG that is integrated into my forums.
I noticed the usual method to grasp strings or integers like this

Code:
if Request.QueryString("moveloc") <> "" then
	myMoveloc = Request.QueryString("moveloc")
end if
strSql = "SELECT K

is terribly vulnerable for SQL injection if you add like
Code:
1';DROP TABLE users; SELECT * FROM data WHERE 't' = 't
to the plece where there is usual the location number in the url(Yeah i know that isnt syntactically correct, but you get what i mean).
So i filter for that with like



Code:
if instr(myMoveloc, "'") then
	myMoveloc = ""
end if


But i think that ' isn't the only character that can be used for sql injection (prolly some URL escape characters or so should be filtered as well). How can i filter out all of them?




Edit: OK i now filter out ' ; = " and * as i feel these should not appear normally in a value that can only hold integers. Should i also add SQL commands like "SELECT", "DROP", "UPDATE" and so on to be sure???

Code:

if Request.QueryString("moveloc") <> "" then
'pipe it into myMoveloc
'we move
	myMoveloc = Request.QueryString("moveloc")
	if instr(myMoveloc, "'") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, ";") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, """") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "*") then
	myMoveloc = ""
	end if
	if instr(myMoveloc, "=") then
	myMoveloc = ""
	end if
	
	strSql = "SELECT

 

Replies ...

HuwR
24 January 2010, 12:03


http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx
kyodai
24 January 2010, 12:29


Whoa, thanks for posting, this is the best solution ever. =)
© 2000-2021 Snitz™ Communications