Question : SQL Injection & Classic ASP

Hello Experts,

I've never thought about SQL Injections before, but it just came to my attention.

I did some research and SQL injections seem fairly easy to use and hack into a db. as simple as typing the following into a textbox

abc'; DROP Table ; --

If this is true, then how can this be prevented. will restricting '; together be sufficient, or is it mor complex than that? I found the code below that supposedly prevent injections, but I can't tell what's it doing and how to use it?

Lastly, if injection restrictions are needed, are they only needed when i'm doing SQL WHERE, or also, INSERT INTO, UPDATE, rs.AddNew, etc.

Thank you.

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:

           
           
          <%

'Following functions prevent SQL Injections.

function validText(pStr)
	dim sTemp
	
	sTemp = ""
	if Not isNuLL(pStr) AND (pStr <> "") then
		sTemp = Replace(pStr, "'", "''")
	end if
	validText = sTemp
end function

Function ReturnValue(sPattern, sSearchString, iCase)

	Dim oRegEx, oMatches  
	Set oRegEx = New RegExp   

	oRegEx.Pattern = sPattern
	oRegEx.IgnoreCase = false
	oRegEx.Global = true

	Set oMatches = oRegEx.Execute(sSearchString) 

	If oMatches.count >= 1 Then
		Select Case iCase
		Case 0
		   ReturnValue = oMatches(0)
		Case 1
		   ReturnValue = oMatches(0)
		Case 2
		   ReturnValue = oMatches(1)
		End Select
   else
		ReturnValue = 0	
   End If

End Function

function isReallyNumeric(pValue)
	dim bValidNumeric
	dim sTemp
	dim cTemp
	dim i
	
	bValidNumeric = true
	sTemp		  = CStr(pValue)
	
	for i = 1 to Len(sTemp)
		cTemp = Mid(sTemp, i, 1)
		
		if Asc(cTemp) < 48 or Asc(cTemp) > 57 then
			bValidNumeric = false
			exit for
		end if
	next

	isReallyNumeric = bValidNumeric
end function

function IfNotNumeric(pValue, pDefaultValue)
	dim sTemp 
  
	sTemp = pValue 
	if (pValue = "") OR (not isReallyNumeric(pValue)) then  
		sTemp = pDefaultValue
	else
		sTemp = ReturnValue("\b[0-9]+\b", sTemp,0)
	end if
  
  IfNotNumeric = sTemp
end function
%>

           
         

Answer : SQL Injection & Classic ASP

If you don't want to complicate things up, simply add this function and call it with your Request. It will filter SQL injection commands and leave SQL friendly value.

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:

           
           
             Function Injection(x)
    x = Replace(x,"select","")
    x = Replace(x,"drop","")
    x = Replace(x,"--","")
    x = Replace(x,"insert","")
    x = Replace(x,"delete","")
    x = Replace(x,"xp_","")
    x = Replace(x,"*","")
    x = Replace(x,"#","")
    x = Replace(x,"%","")
    x = Replace(x,"&","")
    x = Replace(x,"'","")
    x = Replace(x,"(","")
    x = Replace(x,")","")
    x = Replace(x,"/","")
    x = Replace(x,"\","")
    x = Replace(x,":","")
    x = Replace(x,";","")
    x = Replace(x,"<","")
    x = Replace(x,">","")
    x = Replace(x,"=","")
    x = Replace(x,"[","")
    x = Replace(x,"]","")
    x = Replace(x,"?","")
    x = Replace(x,"`","")
    x = Replace(x,"|","")
    Injection = x
End Function

           
         