Protect From SQL Injection In Your Web Apps
Posted by Support, Last modified by Support on 16 May 2008 09:53 PM
How To: Protect From SQL Injection in ASP.NET:

http://msdn2.microsoft.com/en-us/library/ms998271.aspx


How To: Protecting ASP from SQL Injection Attacks

http://www.4guysfromrolla.com/webtech/061902-1.shtml



How To: Detection of SQL Injection and Cross-site Scripting Attacks

http://www.securityfocus.com/infocus/1768



Here is code for Classic ASP that our programmers use for SQL protection:

Put this in the page you want to protect:
<!-- #include file="fixupdbinput.asp" -->
or
<!-- #include virtual="fixupdbinput.asp" -->

Examples of the code that needs to be protected with the FixUpDBIn function:

FixUpDBIn(Request("?????"))

and

FixUpDBIn(Request.Form("????"))

and

FixUpDBIn(Request.QueryString("????"))

and

FixUpDBIn(Request.ServerVariables("????"))

and

FixUpDBIn(Request.Cookies("????"))

Put in fixupdbinput.asp page:
'-----------------------------------------------------------
' Fix Up Data Going Into The Database
'-----------------------------------------------------------
Function FixUpDBIn(strFormDataToFixUp)
strFormDataToFixUp = clearAllTags(strFormDataToFixUp)
FixUpDBIn = Replace(strFormDataToFixUp,"'","''")
FixUpDBIn = Replace(strFormDataToFixUp,";","")
FixUpDBIn = Replace(strFormDataToFixUp,"--","")
FixUpDBIn = Replace(strFormDataToFixUp,"CAST(","",1)
FixUpDBIn = Replace(strFormDataToFixUp,"cast(","",1)
FixUpDBIn = FixUpSQLData(FixUpDBIn)
FixUpDBIn = FixUpSQLData2(FixUpDBIn)
FixUpDBIn = FixUpSQLData3(FixUpDBIn)
FixUpDBIn = FixUpSQLData4(FixUpDBIn)
End Function
'-----------------------------------------------------------
' Fix Up Data Going Out Of The Database
'-----------------------------------------------------------
Function FixUpDBOut(strDBDataToFixUp)
FixUpDBOut = Replace(strDBDataToFixUp,"''","'")
End Function
'-----------------------------------------------------------
' Fix Up Data - Regex for detection of SQL meta-characters
'-----------------------------------------------------------
Function FixUpSQLData(strData)
Dim re
Set re = New RegExp
re.Pattern = "/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix"
re.Global = True
re.IgnoreCase = True
FixUpSQLData = re.Replace(strData, "")
End Function
'-----------------------------------------------------------
' Fix Up Data - Regex for detection of SQL meta-characters
'-----------------------------------------------------------
Function FixUpSQLData2(strData)
Dim re
Set re = New RegExp
re.Pattern = "/exec(\s|\+)+(s|x)p\w+/ix"
re.Global = True
re.IgnoreCase = True
FixUpSQLData2 = re.Replace(strData, "")
End Function
'-----------------------------------------------------------
' Fix Up Data - Regex for detection of SQL meta-characters
'-----------------------------------------------------------
Function FixUpSQLData3(strData)
Dim re
Set re = New RegExp
re.Pattern = "/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"
re.Global = True
re.IgnoreCase = True
FixUpSQLData3 = re.Replace(strData, "")
End Function
'-----------------------------------------------------------
' Fix Up Data - Regex for detection of SQL meta-characters
'-----------------------------------------------------------
Function FixUpSQLData4(strData)
Dim re
Set re = New RegExp
re.Pattern = "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"
re.Global = True
re.IgnoreCase = True
FixUpSQLData4 = re.Replace(strData, "")
End Function
'-----------------------------------------------------------
' Clear All HTML Tags
'-----------------------------------------------------------
Function clearAllTags(s)
Dim re
Set re = New RegExp
re.Pattern = "(<[^>]*>)"
re.Global = True
re.IgnoreCase = True
clearAllTags = re.Replace(s, "")
End Function

(745 vote(s))
Helpful
Not helpful

Comments (0)