Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Search | Today's Posts | Mark Forums Read
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old November 21st, 2017, 09:16 AM
Registered User
Points: 10, Level: 1
Points: 10, Level: 1 Points: 10, Level: 1 Points: 10, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Aug 2015
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default SQL Injection function

Hi guys

I hope you can help.

I need to update a very old website that is using classic ASP code and inline sql queries. There’s a lot of bad practice going on but I need to quickly protect the site as best I can while we have the resources to update the site and move it over to a more secure environment.

Basically, what I need is a regular expression or function that will blacklist all of the usual suspects (ie words and characters) that are used as SQL injection. I fully appreciate that there is no concrete way to totally protect the site against SQL injection by using a blacklist (or whitelist). However, I just need to buy myself a little time while I figure everything out, and have the time, to update the entire scripting.

Unfortunately, I’m not that great on classic asp coding but what I have found so far are these three functions:

------------FUNCTION 1--------------
function SQLInject(strWords)
dim badChars, newChars, i
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_")
newChars = strWords
for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
newChars = newChars
newChars= replace(newChars, "'", "''")
newChars= replace(newChars, " ", "")
newChars= replace(newChars, "'", "|")
newChars= replace(newChars, "|", "''")
newChars= replace(newChars, "\""", "|")
newChars= replace(newChars, "|", "''")
end function
------------FUNCTION 1--------------

------------FUNCTION 2--------------
function SQLInject2(strWords)
dim badChars, newChars, tmpChars, regEx, i
badChars = array( _
"select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
"drop(.*)(from|aggre|role|assem|key|cert|cont|cred ential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure |que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
"alter(.*)(application|assem|key|author|cert|crede ntial|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|re mote|role|route|serv|table|u ser|view|xml){1}", _
"xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
"dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
"load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
"updatetext", "writetext", "reconfigure", _
"/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(")
newChars = strWords
for i = 0 to uBound(badChars)
Set regEx = New RegExp
regEx.Pattern = badChars(i)
regEx.IgnoreCase = True
regEx.Global = True
newChars = regEx.Replace(newChars, "")
Set regEx = nothing
newChars = replace(newChars, "'", "''")
SqlInject2 = newChars
end function
------------FUNCTION 2--------------

------------FUNCTION 3--------------
Function isURL(strURL)

Dim Slug, re, re2

'Everything to lower case
Slug = lcase(strURL)

' Replace - with empty space
Slug = Replace(Slug, "-", " ")

' Replace unwanted characters with space
Set re = New RegExp
re.Pattern = "[^a-z0-9\s-]"
re.Global = True
Slug = re.Replace(Slug, " ")

' Replace multple white spaces with single space
Set re2 = New RegExp
re2.Pattern = "\s+"
re2.Global = True
Slug = re2.Replace(Slug, " ")

Slug = Trim(Slug)

' Replace white space with -
Slug = Replace(Slug," ", "-")

isURL = Slug

End Function

------------FUNCTION 3--------------

Can anyone let me know if the above is any good and if so which one is the best one? If not, can anyone suggest a sample script I can use just to get by for the moment? Any help would be fully appreciated.

Best regards

Rod from the UK
Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sql injection trufla Classic ASP Basics 2 June 16th, 2008 02:54 PM
SQl Injection through ASP and MS SQl 2000 cancer10 Classic ASP Databases 1 October 27th, 2007 03:21 AM
SQL Injection cygnusx04 Classic ASP Databases 1 November 6th, 2004 11:06 AM
What SQL Injection is ? minhtri Classic ASP Basics 2 October 20th, 2004 10:11 PM
Security: Preventing SQL Injection taliesin Classic ASP Professional 2 July 4th, 2003 02:43 AM

All times are GMT -4. The time now is 07:37 PM.

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.