I have done a lot of research on this, but I still have a problem understanding this. However, I want to make sure that I am properly protected. I wrote a function in classic ASP to help prevent SQL injection or possible brute force for the database. Could you guys give me your own input and suggestions if I need to add to it or delete something or even fix problems to make it more secure? Thank you in advance!
I use this below right before pasting into a MySQL database.
Insert example:
conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")
Function:
Private Function SQLClean(ByVal strString) If strString <> "" Then strString = Trim(strString) 'Remove malisous charcters from sql\ strString = replace(strString,"-shutdown","", 1, -1, 1) strString = replace(strString,"\","\\", 1, -1, 1) strString = replace(strString,"=","\=", 1, -1, 1) strString = replace(strString,",","\,", 1, -1, 1) strString = replace(strString,"`","\`", 1, -1, 1) strString = replace(strString,"&","\&", 1, -1, 1) strString = replace(strString,"/","\/", 1, -1, 1) strString = replace(strString,"[","\[", 1, -1, 1) strString = replace(strString,"]","\]", 1, -1, 1) strString = replace(strString,"{","\{", 1, -1, 1) strString = replace(strString,"}","\}", 1, -1, 1) strString = replace(strString,"(","\(", 1, -1, 1) strString = replace(strString,")","\)", 1, -1, 1) strString = replace(strString,";","\;", 1, -1, 1) strString = replace(strString,"+","\+", 1, -1, 1) strString = replace(strString,"<","\<", 1, -1, 1) strString = replace(strString,">","\>", 1, -1, 1) strString = replace(strString,"^","\^", 1, -1, 1) strString = replace(strString,"@","\@", 1, -1, 1) strString = replace(strString,"$","\$", 1, -1, 1) strString = replace(strString,"%","\%", 1, -1, 1) strString = replace(strString,"!","\!", 1, -1, 1) strString = replace(strString,"*","\*", 1, -1, 1) strString = replace(strString,"~","\~", 1, -1, 1) strString = replace(strString,"#","\#", 1, -1, 1) strString = replace(strString,"?","\?", 1, -1, 1) strString = replace(strString,"'","\'", 1, -1, 1) strString = replace(strString,"""","\""", 1, -1, 1) strString = replace(strString,"select","\select", 1, -1, 1) strString = replace(strString,"insert","\insert", 1, -1, 1) strString = replace(strString,"update","\update", 1, -1, 1) strString = replace(strString,"delete","\delete", 1, -1, 1) strString = replace(strString," or "," \or ", 1, -1, 1) strString = replace(strString," and "," \and ", 1, -1, 1) strString = replace(strString,"drop","\drop", 1, -1, 1) strString = replace(strString,"union","\union", 1, -1, 1) strString = replace(strString,"into","\into", 1, -1, 1) 'Return cleaned value. SQLClean = Trim(strString) End If End Function