Codefixer - Function to Protect Against SQL Injection

Below is a simple function that will give you some protection against an SQL Injection attempt.

The sample script below retrieves the form values entered into the textboxes 'txtUsername' and 'txtPassword' and assigns them to variables 'sUsername' and 'sPassword'. The next line of code calls the function IllegalChars and passes in the variables as parameters.

The function IllegalChars holds an array of illegal characters and words, it loops through these checking for their presence against our variables using the InStr function. If any are present in either of our variables then IllegalChars returns False. In that scenario the visitor will be redirected to the file 'no_access.asp'.

<%
'Declare variables
Dim sUsername, sPassword
'retrieve our form textbox values and assign to variables
sUsername=Request.Form("txtUsername")
sPassword=Request.Form("txtPassword")

'Call the function IllegalChars to check for illegal characters
If IllegalChars(sUsername)=True OR IllegalChars(sPassword)=True Then
Response.redirect("no_access.asp")
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>

If you have any code snippets to share with full credit given then send an email to Codesnippets - You'll receive full credit and a link back to your site.

Protection against SQL Injection Attack