SQL Injection function

Hi guys

I hope you can help.

I need to update a very old website that is using classic ASP code and inline sql queries. There’s a lot of bad practice going on but I need to quickly protect the site as best I can while we have the resources to update the site and move it over to a more secure environment.

Basically, what I need is a regular expression or function that will blacklist all of the usual suspects (ie words and characters) that are used as SQL injection. I fully appreciate that there is no concrete way to totally protect the site against SQL injection by using a blacklist (or whitelist). However, I just need to buy myself a little time while I figure everything out, and have the time, to update the entire scripting.

Unfortunately, I’m not that great on classic asp coding but what I have found so far are these three functions:

------------FUNCTION 1--------------

    function SQLInject(strWords) 
    dim badChars, newChars, i
    badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") 
    newChars = strWords 
    for i = 0 to uBound(badChars) 
    newChars = replace(newChars, badChars(i), "") 
    newChars = newChars 
    newChars= replace(newChars, "'", "''")
    newChars= replace(newChars, " ", "")
    newChars= replace(newChars, "'", "|")
    newChars= replace(newChars, "|", "''")
    newChars= replace(newChars, "\""", "|")
    newChars= replace(newChars, "|", "''")
    end function 

------------FUNCTION 1--------------

------------FUNCTION 2--------------

    function SQLInject2(strWords)
    dim badChars, newChars, tmpChars, regEx, i
    badChars = array( _
    "select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
    "drop(.*)(from|aggre|role|assem|key|cert|cont|credential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure|que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
    "alter(.*)(application|assem|key|author|cert|credential|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|remote|role|route|serv|table|u ser|view|xml){1}", _
    "xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
    "dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
    "load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
    "updatetext", "writetext", "reconfigure", _
    "/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(") 
    newChars = strWords
    for i = 0 to uBound(badChars)
    Set regEx = New RegExp
    regEx.Pattern = badChars(i)
    regEx.IgnoreCase = True
    regEx.Global = True
    newChars = regEx.Replace(newChars, "")
    Set regEx = nothing
    newChars = replace(newChars, "'", "''")
    SqlInject2 = newChars
    end function

------------FUNCTION 2--------------

------------FUNCTION 3--------------

    Function isURL(strURL)

    Dim Slug, re, re2

    'Everything to lower case
    Slug = lcase(strURL)

    ' Replace - with empty space
    Slug = Replace(Slug, "-", " ")

    ' Replace unwanted characters with space
    Set re = New RegExp
    re.Pattern = "[^a-z0-9\s-]"
    re.Global = True
    Slug = re.Replace(Slug, " ")

    ' Replace multple white spaces with single space
    Set re2 = New RegExp
    re2.Pattern = "\s+"
    re2.Global = True
    Slug = re2.Replace(Slug, " ")

    Slug = Trim(Slug)

    ' Replace white space with -
    Slug = Replace(Slug," ", "-")

isURL = Slug

End Function

------------FUNCTION 3--------------

Can anyone let me know if the above is any good and if so which one is the best one? If not, can anyone suggest a sample script I can use just to get by for the moment? Any help would be fully appreciated.

Best regards

Rod from the UK

The approach you are considering only reduce the risk for SQL injection, as it has to be in your blacklist to be triggered.

Instead you should consider using prepared statements to remove the risk all together.

Take a look on this document on how to prevent SQL Injection:

Thanks - much appreciated!

Best regards


This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.