Fight Against SQL Injection Attacks

Published on 11/22/2007 by Site Editor

Vote this tutorial: 1 2 3 4 5

Security issues became more damageful if you're not protecting your web forms. Following example is a good idea to protect our ASP pages against SQL injection attacks.  This small ASP code secures and validates all information coming from your forms.

<%
    uname = trim(request.form("uname"))
    pword =  trim(request.form("pword"))
    if isValidString(uname) = True AND isValidString(pword) = True  then
    Set Con = Server.CreateObject("ADODB.Connection")
    Con.Open strCon
    sql = "Select userID, nickName, pword, isAdmin, email from mysite_Members "
    sql = sql & " WHERE  email = '"& uname & "' AND pword = '"& pword & "' AND editor = 1 AND active = 0 "
    set rec = Con.execute(sql)
        if rec.eof then
        response.Write("

Login failed !

"&vbnewline)               
        else
        Session("userID") = rec("userID")
        Session("nickName") = rec("nickName")
        Session("email") = rec("email")
        Session("pword") = rec("pword")
        Session("isAdmin") = rec("isAdmin")
        response.redirect "default.asp"
        end if
    rec.close
    set rec = nothing
    Con.close
    set Con = nothing   

    end if   
    end if
   
Function IsValidString(sValidate)
    Dim sInvalidChars
    Dim bTemp
    Dim i
    ' Disallowed characters
    sInvalidChars = "!#$%^&*()=+{}[]|\\;?><'"
    for i = 1 To Len(sInvalidChars)
        if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
        if bTemp then Exit For
    next
    for i = 1 to Len(sValidate)
        if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
        if bTemp then Exit For
    next


    if not bTemp then
        bTemp = InStr(sValidate, "..") > 0
    end if
    if not bTemp then
        bTemp = InStr(sValidate, "  ") > 0
    end if
    if not bTemp then
        bTemp = (len(sValidate) <> len(Trim(sValidate)))
    end if 'Addition for leading and trailing spaces

    ' if any of the above are true, invalid string
    IsValidString = Not bTemp
End Function
%>

Comments:
no comments submitted

Latest Posts

• Create and retrieve cookies
• Easy Error Handling in C#
• Filtering results from database
• Filling Data into Select List
• Working with Array Remove An Item
• Custom Paging in ASP Fast And Easy
• Display Top N records from MS Access
• Using GetRows To Get All Records From Table
• VBScript Functions The Len Function
• Free User Registration Form
• Copying Folders using File System Object
• ArrayList object usage with example
• Using SUM Function in An SQL Statement
• Compacting an Access database from ASP code
• Database Driven Login Script
• Methods of Session Object
• Simple XMLRSS Parser Part-II
• Selecting random record from database
• Image downloading from remote servers in ASP
• How to Encrypt String Using MD5