Parse SQL forbidden characters

[pgferro]

Hi Guys,

Does anybody have a function ready to parse all forbidden SQL characters for an insert/update statement ?

(like single quote, %, &, ect..)

I know, I'm lazy !

 

[Nevermoor]

You can't simply remove all those characters from a prebuilt statement, you have to parse through each string as you build it into an insert/update statement.

As far as that goes, you only need to worry about single quotes, and the way to fix them is something like:

Function DoubleUpSingleQuotes(strInput)
'```<--- replace prime (single quote) with reverse prime
DoubleUpSingleQuotes = Replace(strInput, "'", "''")
End Function

 

[ChrisHirst]

3 standard ones I use to limit SQL Injection are

function stripQuotes(strWords)
'strip out single quotes for SQL injection attempts 
stripQuotes = replace(strWords, "'", "''")
stripQuotes =  StripChars(stripQuotes)
end function 
'***********************************

function StripChars(strIn) 
dim Disallowed 
dim strOut 
dim i

Disallowed = array("select", "drop", ";", "--", "insert","delete", "xp_") 
strOut = strIn 

for i = 0 to uBound(Disallowed) 
strOut = replace(strOut, Disallowed(i), "") 
next 
StripChars = strOut 
end function 
'*************************************

function CheckBad(strIn, Pattern)
dim objRE
set objRE = New RegExp 
objRE.pattern = Pattern
CheckBad = objRE.Test(strIn)
end function
'*************************************

the call to CheckBad is usually

CheckBad(username,"[=;'" & chr(34) &"]")

to test for "=", ";" "'" (single quote) and """ (double quote)



Chris.

Indifference will be the downfall of mankind, but who cares?

http://www.candsdesign.co.uk

A website that proves the cobblers kids adage.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.