• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 977
  • Last Modified:

ASP Function Char replace issue

I am trying to stop SQL injection attacks.
I have written the following function that will help filter out the commands.
But i can't get it to output the VAR.

+ i'm not sure if how i'm going to use this funiction again and again for dirrent fields
from request.form().  like username and password.

But first things first.  Please can someone let me know why i can't get an output from the following:
<% 
function killChars(inputtext) 
			dim badChars 
			dim newChars 
			
			badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=") 
			newChars = inputtext 
			
			for i = 0 to uBound(badChars) 
			newChars = replace(newChars, badChars(i), "") 
			next 
			 response.write(inputtext & "done | ")
end function 
 
text1 = "Hello ' select bye"
 
call KillChars(text1)
response.write("CLEAN:" & newChars)
%>

Open in new window

0
myhc
Asked:
myhc
2 Solutions
 
RemcovCCommented:
You are using a var outside a function in which you declared it, that wont work

You could try something like this:

<%
function killChars(inputtext)
      dim badChars
                  
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                  
      for i = 0 to uBound(badChars)
            killChars = replace(inputtext, badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
 
sam_norianCommented:
Hi,
 
 This uses a slightly different approach but should achieve the same result....

function killChars(inputtext)
    if not isNull(inputtext) then
        inputtext = Replace(inputtext,"select","")
        inputtext = Replace(inputtext,"drop","")
        inputtext = Replace(inputtext,"insert","")
        inputtext = Replace(inputtext,"delete","")
        inputtext = Replace(inputtext,"xp_","")
        inputtext = Replace(inputtext,"=","")
        inputtext = Replace(inputtext,"--","")
        inputtext = Replace(inputtext,";","")
        killChars = inputtext
     else
        inputtext = ""
     end if
end function
 
'''''''''''''To Call You Can Then Do..'''''''''''''''''''''''
 
killChars(request.form("YourField"))

Open in new window

0
 
RemcovCCommented:
made a small error in the code....

<%
function killChars(inputtext)
      dim badChars
      killChars = inputtext          
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                 
      for i = 0 to uBound(badChars)
            killChars = replace(killChars , badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bluV11tCommented:
<%
function killChars(inputtext)
                        dim badChars
                        dim newChars
                       
                        badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                        newChars = inputtext
                       
                        for i = 0 to uBound(badChars)
                        newChars = replace(newChars, badChars(i), "")
                        next
                         response.write(inputtext & "done | ")
'THIS IS STEP1
killChars = inputtext

end function
 
text1 = "Hello ' select bye"
 
'THIS IS STEP2
myNewVariable = KillChars(text1)
response.write("CLEAN:" & myNewVariable )
%>
0
 
R_HarrisonCommented:
By the way you also want to add single quote ' and colon : to you list of badChars, otherwise hackers will still be able to run SQL injection.

Also develop a second function for values that should be numeric (to ensure they are numeric) as these are the most vunerable to sql injection.    For you second function a simple isNumeric() should suffice.
0
 
myhcAuthor Commented:
Sorted my code, works fine - Thank You
Harrison, Advised on more issues with SQL.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now