Below is a simple function that will give you some protection against
an SQL Injection attempt.
The sample script below retrieves the form values entered into the textboxes
'txtUsername' and 'txtPassword' and assigns them to variables 'sUsername'
and 'sPassword'. The next line of code calls the function IllegalChars
and passes in the variables as parameters.
The function IllegalChars holds an array of illegal characters and words,
it loops through these checking for their presence against our variables
using the InStr function. If any are present in either of our variables
then IllegalChars returns False. In that scenario the visitor will be
redirected to the file 'no_access.asp'.
<%
'Declare variables
Dim sUsername, sPassword
'retrieve our form textbox values and assign
to variables
sUsername=Request.Form("txtUsername")
sPassword=Request.Form("txtPassword")
'Call the function IllegalChars to check for
illegal characters
If IllegalChars(sUsername)=True OR IllegalChars(sPassword)=True Then
Response.redirect("no_access.asp")
End If
'Function IllegalChars to guard against SQL
injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";",
"--", "insert", "delete", "xp_",
_
"#", "%", "&", "'", "(",
")", "/", "\", ":", ";",
"<", ">", "=", "[",
"]", "?", "`", "|", "declare", "convert")
'Loop through array sBadChars using our counter
& UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal
character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>
Get the best asp web hosting provider now and save 30%
Plug and play ASP membership script that integrates with PayPal to let you charge recurring membership fees.
