Solved

ASP Function Char replace issue

Posted on 2008-10-10
6
945 Views
Last Modified: 2012-05-05
I am trying to stop SQL injection attacks.
I have written the following function that will help filter out the commands.
But i can't get it to output the VAR.

+ i'm not sure if how i'm going to use this funiction again and again for dirrent fields
from request.form().  like username and password.

But first things first.  Please can someone let me know why i can't get an output from the following:
<% 

function killChars(inputtext) 

			dim badChars 

			dim newChars 

			

			badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=") 

			newChars = inputtext 

			

			for i = 0 to uBound(badChars) 

			newChars = replace(newChars, badChars(i), "") 

			next 

			 response.write(inputtext & "done | ")

end function 
 

text1 = "Hello ' select bye"
 

call KillChars(text1)

response.write("CLEAN:" & newChars)

%>

Open in new window

0
Comment
Question by:myhc
6 Comments
 
LVL 6

Expert Comment

by:RemcovC
Comment Utility
You are using a var outside a function in which you declared it, that wont work

You could try something like this:

<%
function killChars(inputtext)
      dim badChars
                  
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                  
      for i = 0 to uBound(badChars)
            killChars = replace(inputtext, badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
 
LVL 3

Expert Comment

by:sam_norian
Comment Utility
Hi,
 
 This uses a slightly different approach but should achieve the same result....

function killChars(inputtext)

    if not isNull(inputtext) then

        inputtext = Replace(inputtext,"select","")

        inputtext = Replace(inputtext,"drop","")

        inputtext = Replace(inputtext,"insert","")

        inputtext = Replace(inputtext,"delete","")

        inputtext = Replace(inputtext,"xp_","")

        inputtext = Replace(inputtext,"=","")

        inputtext = Replace(inputtext,"--","")

        inputtext = Replace(inputtext,";","")

        killChars = inputtext

     else

        inputtext = ""

     end if

end function
 

'''''''''''''To Call You Can Then Do..'''''''''''''''''''''''
 

killChars(request.form("YourField"))

Open in new window

0
 
LVL 6

Expert Comment

by:RemcovC
Comment Utility
made a small error in the code....

<%
function killChars(inputtext)
      dim badChars
      killChars = inputtext          
      badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                 
      for i = 0 to uBound(badChars)
            killChars = replace(killChars , badChars(i), "")
      next
      response.write(inputtext & "done | ")
end function
 
text1 = "Hello ' select bye"

response.write("CLEAN:" & KillChars(text1))
%>
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 7

Accepted Solution

by:
bluV11t earned 230 total points
Comment Utility
<%
function killChars(inputtext)
                        dim badChars
                        dim newChars
                       
                        badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_", "=")
                        newChars = inputtext
                       
                        for i = 0 to uBound(badChars)
                        newChars = replace(newChars, badChars(i), "")
                        next
                         response.write(inputtext & "done | ")
'THIS IS STEP1
killChars = inputtext

end function
 
text1 = "Hello ' select bye"
 
'THIS IS STEP2
myNewVariable = KillChars(text1)
response.write("CLEAN:" & myNewVariable )
%>
0
 
LVL 12

Assisted Solution

by:R_Harrison
R_Harrison earned 20 total points
Comment Utility
By the way you also want to add single quote ' and colon : to you list of badChars, otherwise hackers will still be able to run SQL injection.

Also develop a second function for values that should be numeric (to ensure they are numeric) as these are the most vunerable to sql injection.    For you second function a simple isNumeric() should suffice.
0
 
LVL 7

Author Closing Comment

by:myhc
Comment Utility
Sorted my code, works fine - Thank You
Harrison, Advised on more issues with SQL.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now