?
Solved

ASP Function Char replace issue

Posted on 2008-10-10
6
Medium Priority
?
959 Views
Last Modified: 2012-05-05
I am trying to stop SQL injection attacks.
I have written the following function that will help filter out the commands.
But i can't get it to output the VAR.

+ i'm not sure if how i'm going to use this funiction again and again for dirrent fields
from request.form().  like username and password.

But first things first.  Please can someone let me know why i can't get an output from the following:
<% 
function killChars(inputtext) 
			dim badChars 
			dim newChars 
			
			badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=") 
			newChars = inputtext 
			
			for i = 0 to uBound(badChars) 
			newChars = replace(newChars, badChars(i), "") 
			next 
			 response.write(inputtext & "done | ")
end function 
 
text1 = "Hello ' select bye"
 
call KillChars(text1)
response.write("CLEAN:" & newChars)
%>

Open in new window

0
Comment
Question by:myhc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:RemcovC
ID: 22686181
You are using a var outside a function in which you declared it, that wont work

You could try something like this:

<%
function killChars(inputtext)
      dim badChars
                  
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                  
      for i = 0 to uBound(badChars)
            killChars = replace(inputtext, badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
 
LVL 3

Expert Comment

by:sam_norian
ID: 22686189
Hi,
 
 This uses a slightly different approach but should achieve the same result....

function killChars(inputtext)
    if not isNull(inputtext) then
        inputtext = Replace(inputtext,"select","")
        inputtext = Replace(inputtext,"drop","")
        inputtext = Replace(inputtext,"insert","")
        inputtext = Replace(inputtext,"delete","")
        inputtext = Replace(inputtext,"xp_","")
        inputtext = Replace(inputtext,"=","")
        inputtext = Replace(inputtext,"--","")
        inputtext = Replace(inputtext,";","")
        killChars = inputtext
     else
        inputtext = ""
     end if
end function
 
'''''''''''''To Call You Can Then Do..'''''''''''''''''''''''
 
killChars(request.form("YourField"))

Open in new window

0
 
LVL 6

Expert Comment

by:RemcovC
ID: 22686214
made a small error in the code....

<%
function killChars(inputtext)
      dim badChars
      killChars = inputtext          
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                 
      for i = 0 to uBound(badChars)
            killChars = replace(killChars , badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
bluV11t earned 920 total points
ID: 22690678
<%
function killChars(inputtext)
                        dim badChars
                        dim newChars
                       
                        badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                        newChars = inputtext
                       
                        for i = 0 to uBound(badChars)
                        newChars = replace(newChars, badChars(i), "")
                        next
                         response.write(inputtext & "done | ")
'THIS IS STEP1
killChars = inputtext

end function
 
text1 = "Hello ' select bye"
 
'THIS IS STEP2
myNewVariable = KillChars(text1)
response.write("CLEAN:" & myNewVariable )
%>
0
 
LVL 12

Assisted Solution

by:R_Harrison
R_Harrison earned 80 total points
ID: 22695342
By the way you also want to add single quote ' and colon : to you list of badChars, otherwise hackers will still be able to run SQL injection.

Also develop a second function for values that should be numeric (to ensure they are numeric) as these are the most vunerable to sql injection.    For you second function a simple isNumeric() should suffice.
0
 
LVL 7

Author Closing Comment

by:myhc
ID: 31504976
Sorted my code, works fine - Thank You
Harrison, Advised on more issues with SQL.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question