Hi

I wrote this piece of function that will help prevent SQL Injections in my ASP pages.

Please review this code and tell me if its good and will do the needful. If not, then why and what is the correct code.


<%
function dbsafe(data)
data = replace(data,";","")
data = replace(data,"'","")
data = replace(data,"--","")
data = replace(data,"/*","")
data = replace(data,"*/","")
data = replace(data,"*","")
data = replace(data,"/","")
data = replace(data,"xp_","")
end function
%>


Thanx so much

It looks OK but I would not use it as a global function for ALL query fields.

What if someone is submitting the following text to a db field...

"This product can't be beat. Sale ends 4/25/2008. *Limit one per customer"

Of what if the field is just a date field?

Your function will erase the apostrophe and asterisk and screw up the date. It's usually best to run your functions based on the type of input.

I know this is old but I thought I'd include what I used (I found this online but I can't recall where):



Private blackList As String() = {"--", ";--", ";", "/*", "*/", "@@", _
"@", "char", "nchar", "varchar", "nvarchar", "alter", _
"begin", "cast", "create", "cursor", "declare", "delete", _
"drop", "end", "exec", "execute", "fetch", "insert", _
"kill", "open", "select", "sys", "sysobjects", "syscolumns", _
"table", "update"}

Public Function CheckInject(ByVal BefString As String) As String
Dim CheckString As String = Replace(BefString, "'", "''")
For i As Integer = 0 To blackList.Length - 1
If (BefString.IndexOf(blackList(i), StringComparison.OrdinalIgnoreCase) >= 0) Then
CheckString = Replace(CheckString, blackList(i), "")
End If
Next
Return CheckString
End Function