SQL Injection easy fix???

[AlaskanDad]

This may be too simplistic so I'm really looking for some guidance here.

Is this a fix-all for preventing SQL Injection attacks through querystrings?

If Instr(1, Request.QueryString, ";&quot Then Response.Redirect ("MyInfo.asp&quot
If Instr(1, Request.QueryString, "(&quot Then Response.Redirect ("MyInfo.asp&quot

I figure the only way they could throw in a SQL add-on would be through using a ; or a (.

I know this doesn't clean up my text box entries, but is this a good start?

 

[ehsant]

Hi...
you have to delete all of these chars :
";"
"-"
"'"

----
TNX.
E.T.

 

[AlaskanDad]

Alright...

Here is the new "fix-all":

If Instr(1, Request.QueryString, ";&quot Then Response.Redirect ("MyInfo.asp&quot
If Instr(1, Request.QueryString, "(&quot Then Response.Redirect ("MyInfo.asp&quot
If Instr(1, Request.QueryString, "-&quot Then Response.Redirect ("MyInfo.asp&quot
If Instr(1, Request.QueryString, "'&quot Then Response.Redirect ("MyInfo.asp&quot


Any attempts to use one of those four characters in a querystring and it will go back to the home page.

How does this look?

-Rob

 

[ehsant]

Hi...
It's OK, but I think this is not good.
first, in your form, you check the inputs and if there where any on these chars in the values, alert the user that he/she cant use these chars and don't submit the form, but you check it server side, with your fix-all function and then redirect the user to the home page...

----
TNX.
E.T.

 

[foxbox]

In many cases you can't simply forbid the use of ' " ( % & ; etc. For MS SQL server it is usually enough to change any single ' into '' (not &quot:

sValue = replace( sValue, "'", "''&quot

Also look into "SQL Prepared statements": a very effective way to handle SQL injection.


BTW: your InStr() code is incomplete. This functions returns an integer. 0 = not found.

<% =InStr(&quot;ABCDE ABCDE&quot;, &quot;C&quot %>

Output:
3




hth,
Foxbox