Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Function for sql injection

Status
Not open for further replies.

kebele

MIS
Joined
Jul 31, 2006
Messages
107
Location
US
Below is a simple function that will give me some protection against an SQL Injection attempt and i am not sure if i create an array right for the vb.net and that is where i am getting an error msg. any clue would be appreciated.



'Function IllegalChars to guard against SQL injection
Function IllegalChars(ByVal sInput)
'Declare variables
Dim iCounter
'Set IllegalChars to False
IllegalChars = False

Dim sBadChars As Array

'Create an array of illegal characters and words

sBadChars=("select", "drop", ";", "--", "insert", "delete", "xp_", "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|")

'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 To uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput, sBadChars(iCounter)) > 0 Then
IllegalChars = True
End If
Next
End Function

 
here is the syntax in c#
Code:
string[] sBadChars = new string[] {"select", "drop", ";", "--", "insert", "delete", "xp_", "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|"}}

it would probally look somthing like this in vb
Code:
string() sBadChars= new string() { "select", "drop", ";", "--", "insert", "delete", "xp_", "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|"}

Jason Meckley
Programmer
Specialty Bakers, Inc.
 
Use a stored procedure with parameters and then you won't need this function.
 
To answer your question, you create the array not as an array, but as whatever type you need.

ex:


Dim myArray[12] as Integer

Without Tek-Tips I would go Codal
-implementing random bugs for the sake of something to do.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top