Fight Against SQL Injection Attacks
Published on 11/22/2007 by Site Editor|
Vote this tutorial:
|
More articles in ASP
Security issues became more damageful if you're not protecting your web forms. Following example is a good idea to protect our ASP pages against SQL injection attacks. This small ASP code secures and validates all information coming from your forms.
<%
uname = trim(request.form("uname"))
pword = trim(request.form("pword"))
if isValidString(uname) = True AND isValidString(pword) = True then
Set Con = Server.CreateObject("ADODB.Connection")
Con.Open strCon
sql = "Select userID, nickName, pword, isAdmin, email from mysite_Members "
sql = sql & " WHERE email = '"& uname & "' AND pword = '"& pword & "' AND editor = 1 AND active = 0 "
set rec = Con.execute(sql)
if rec.eof then
response.Write("
Login failed !
"&vbnewline)else
Session("userID") = rec("userID")
Session("nickName") = rec("nickName")
Session("email") = rec("email")
Session("pword") = rec("pword")
Session("isAdmin") = rec("isAdmin")
response.redirect "default.asp"
end if
rec.close
set rec = nothing
Con.close
set Con = nothing
end if
end if
Function IsValidString(sValidate)
Dim sInvalidChars
Dim bTemp
Dim i
' Disallowed characters
sInvalidChars = "!#$%^&*()=+{}[]|\\;?><'"
for i = 1 To Len(sInvalidChars)
if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
if bTemp then Exit For
next
for i = 1 to Len(sValidate)
if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
if bTemp then Exit For
next
if not bTemp then
bTemp = InStr(sValidate, "..") > 0
end if
if not bTemp then
bTemp = InStr(sValidate, " ") > 0
end if
if not bTemp then
bTemp = (len(sValidate) <> len(Trim(sValidate)))
end if 'Addition for leading and trailing spaces
' if any of the above are true, invalid string
IsValidString = Not bTemp
End Function
%> Comments:
no comments submitted
Latest Posts
- Create and retrieve cookies
- Easy Error Handling in C#
- Filtering results from database
- Filling Data into Select List
- Working with Array Remove An Item
- Custom Paging in ASP Fast And Easy
- Display Top N records from MS Access
- Using GetRows To Get All Records From Table
- VBScript Functions The Len Function
- Free User Registration Form
- Copying Folders using File System Object
- ArrayList object usage with example
- Using SUM Function in An SQL Statement
- Compacting an Access database from ASP code
- Database Driven Login Script
- Methods of Session Object
- Simple XMLRSS Parser Part-II
- Selecting random record from database
- Image downloading from remote servers in ASP
- How to Encrypt String Using MD5


