Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

[quote=”Shippwreck”]…I find that SQL Injection is one of those things that everyone agrees poses a major security risk, but if i ask the question what techniques to use to combat it or what are the key/most common things to look out for in your coding that leave you wide open the room goes eerily quiet…[/quote]

Well, here’s what I do…

The ContainsSQL function below accepts a string value and checks for a ‘;’ character (that’s required for SQL stuffing) outside of string deliminators.

Let’s say your script uses a variable as a modifier for an SQL command. The variable is collected from the request string and is called “Variable” – so to get the value in code you’d request(“Variable”).

Your code might look like this:
sqlq = “select * from ‘”& request(“Variable”) &”‘”

A black hat might fill in the Variable field with “A Variable.’;[sql exploit here]”. The sql injection would mean that the SQL statement you executed would read like this:

[code]select * from ‘A Variable.’;[sql exploit here][/code]

because the use of the ‘;’ begins a new line in the SQL parser.

To check this you’d call the function from your (asp) code like this:
<% if object.ContainsSQL(CSTR(Request("Variable"))) then response.write "

Thank you.

response.write “Your IP address has been logged.

response.write “Please step away from the computer,

response.write “place your hands behind your head

response.write “and await the arrival of a local law

response.write “enforcement official.”
end if

[b]The function[/b]
Private Function ContainsSQL(tValue As String) As Boolean

Dim l, n

On Error GoTo 10

ContainsSQL = False

‘ Ensure the statement does not contain ; outside of string deliminators (‘)
‘ (To ‘stop SQL stuffing exploits)
l = 1
For n = 1 To StringsCls.CountInString(tValue, “;”)
l = InStr(l, tValue, “;”)
If (StringsCls.OddEven(StringsCls.CountInString(Left(tValue, l), “‘”)) = 0) Then
ContainsSQL = True
Exit Function
End If
l = l + 1

If Not Err.Number = 0 Then
mError.Number = Err.Number
mError.Description = Err.Description
SendTrace “ContainsSQL”, “Error #” & Err.Number & “: ” & Err.Description
End If

End Function

By admin

Former Freehand Freelance Graphic Illustrator... been online since 2004 ( late starter ), blogging since 2005, presently writing a suspense-thriller e-book that began as a screenplay.