Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 1 of 1
  1. #1
    New Coder
    Join Date
    Jan 2016
    Posts
    18
    Thanks
    0
    Thanked 0 Times in 0 Posts

    SQL injection function

    Hi guys

    I hope you can help.

    I need to update a very old website that is using classic ASP code and inline sql queries. Thereís a lot of bad practice going on but I need to quickly protect the site as best I can while we have the resources to update the site and move it over to a more secure environment.

    Basically, what I need is a regular expression or function that will blacklist all of the usual suspects (ie words and characters) that are used as SQL injection. I fully appreciate that there is no concrete way to totally protect the site against SQL injection by using a blacklist (or whitelist). However, I just need to buy myself a little time while I figure everything out, and have the time, to update the entire scripting.

    Unfortunately, Iím not that great on classic asp coding but what I have found so far are these three functions:

    ------------FUNCTION 1--------------
    Code:
        function SQLInject(strWords) 
        dim badChars, newChars, i
        badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") 
        newChars = strWords 
        for i = 0 to uBound(badChars) 
        newChars = replace(newChars, badChars(i), "") 
        next 
        newChars = newChars 
        newChars= replace(newChars, "'", "''")
        newChars= replace(newChars, " ", "")
        newChars= replace(newChars, "'", "|")
        newChars= replace(newChars, "|", "''")
        newChars= replace(newChars, "\""", "|")
        newChars= replace(newChars, "|", "''")
        SQLInject=newChars
        end function
    ------------FUNCTION 1--------------


    ------------FUNCTION 2--------------
    Code:
        function SQLInject2(strWords)
        dim badChars, newChars, tmpChars, regEx, i
        badChars = array( _
        "select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
        "drop(.*)(from|aggre|role|assem|key|cert|cont|credential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure|que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
        "alter(.*)(application|assem|key|author|cert|credential|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|remote|role|route|serv|table|u ser|view|xml){1}", _
        "xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
        "dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
        "load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
        "updatetext", "writetext", "reconfigure", _
        "/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(") 
        newChars = strWords
        for i = 0 to uBound(badChars)
        Set regEx = New RegExp
        regEx.Pattern = badChars(i)
        regEx.IgnoreCase = True
        regEx.Global = True
        newChars = regEx.Replace(newChars, "")
        Set regEx = nothing
        next
        newChars = replace(newChars, "'", "''")
        SqlInject2 = newChars
        end function
    ------------FUNCTION 2--------------

    ------------FUNCTION 3--------------
    Code:
        Function isURL(strURL)
    
        Dim Slug, re, re2
    
        'Everything to lower case
        Slug = lcase(strURL)
    
        ' Replace - with empty space
        Slug = Replace(Slug, "-", " ")
    
        ' Replace unwanted characters with space
        Set re = New RegExp
        re.Pattern = "[^a-z0-9\s-]"
        re.Global = True
        Slug = re.Replace(Slug, " ")
    
        ' Replace multple white spaces with single space
        Set re2 = New RegExp
        re2.Pattern = "\s+"
        re2.Global = True
        Slug = re2.Replace(Slug, " ")
    
        Slug = Trim(Slug)
    
        ' Replace white space with -
        Slug = Replace(Slug," ", "-")
    
    isURL = Slug
    
    End Function
    ------------FUNCTION 3--------------

    Can anyone let me know if the above is any good and if so which one is the best one? If not, can anyone suggest a sample script I can use just to get by for the moment? Any help would be fully appreciated.

    Best regards

    Rod from the UK
    Last edited by vinyl-junkie; 11-21-2017 at 03:47 PM. Reason: added code tags


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •