Google
 

Monday, April 5, 2010

ASP Codes to prevent MSSQL Injection Data Cleaner for Database Security

This is a simple input field cleaner to help prevent SQL Injection problems. SQL Injection occurs when a hacker fills out a form on your web site or posts data to a script. If the script which accepts and processes the data reads or writes to a SQL database, the hacker can include SQL commands.

Those commands can insert data to your database and/or can output details about the tables and fields in your database.

There is much more to SQL injection, but this simple script will help to clean submitted data. It is intended for alphanumeric fields. You can clean numeric fields separately by testing for isNumeric and Not isNull.

ASP FUNCTIONS CODES

Function fncInputDataCleaner(StringToClean)

If Len(StringToClean) > 0 Then
For x = 1 to 3
StringToClean = Replace(stringToClean, "'", "''")
StringToClean = Replace(stringToClean, "--", "-")
StringToClean = Replace(stringToClean, ";", " ")
StringToClean = Replace(stringToClean, "<", " ") StringToClean = Replace(stringToClean, ">", " ")
StringToClean = Replace(stringToClean, "%", " ")
StringToClean = Replace(stringToClean, " Next
End If

CleanInputData = stringToClean

End Function



Instructions
Add this function to your Classic ASP script or include it in a file with commonly used functions. Call the function like this:

strMyName = Request("MyName")
strMyName = fncInputDataCleaner(strMyName)

No comments: