SQL Injection Is this Good

Question

I have done quite a bit of research on this but I'm still having a problem understanding it. However I want to make sure that I am properly protected. I wrote a function in Classic ASP to help prevent a SQL Injection or possible brute force to the DB. Could you guys give me your own input and suggestions if I need to add to it or remove things or even correct issues to make it more secure? Thank you very much in advance!!

I use this below right before inserting in to a MySQL database.

An example insert:

conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")

The function:

Private Function SQLClean(ByVal strString)
    If strString <> "" Then
        strString = Trim(strString)

        'Remove malisous charcters from sql\
        strString = replace(strString,"-shutdown","", 1, -1, 1)
        strString = replace(strString,"","\", 1, -1, 1)
        strString = replace(strString,"=","\=", 1, -1, 1)
        strString = replace(strString,",","\,", 1, -1, 1)
        strString = replace(strString,"`","\`", 1, -1, 1)
        strString = replace(strString,"&","\&", 1, -1, 1)
        strString = replace(strString,"/","/", 1, -1, 1)      
        strString = replace(strString,"[","$$", 1, -1, 1)
        strString = replace(strString,"]","$$", 1, -1, 1)
        strString = replace(strString,"{","\{", 1, -1, 1)
        strString = replace(strString,"}","\}", 1, -1, 1)
        strString = replace(strString,"(","$", 1, -1, 1)
        strString = replace(strString,")","$", 1, -1, 1)
        strString = replace(strString,";","\;", 1, -1, 1)
        strString = replace(strString,"+","\+", 1, -1, 1)
        strString = replace(strString,"<","\<", 1, -1, 1)
        strString = replace(strString,">","\>", 1, -1, 1)
        strString = replace(strString,"^","\^", 1, -1, 1)
        strString = replace(strString,"@","\@", 1, -1, 1)
        strString = replace(strString,"$","\$", 1, -1, 1)
        strString = replace(strString,"%","\%", 1, -1, 1)
        strString = replace(strString,"!","\!", 1, -1, 1)
        strString = replace(strString,"*","\*", 1, -1, 1)
        strString = replace(strString,"~","\~", 1, -1, 1)
        strString = replace(strString,"#","\#", 1, -1, 1)
        strString = replace(strString,"?","\?", 1, -1, 1)
        strString = replace(strString,"'","\'", 1, -1, 1)
        strString = replace(strString,"""","""", 1, -1, 1)
        strString = replace(strString,"select","\select", 1, -1, 1)
        strString = replace(strString,"insert","\insert", 1, -1, 1)
        strString = replace(strString,"update","\update", 1, -1, 1)
        strString = replace(strString,"delete","\delete", 1, -1, 1)
        strString = replace(strString," or "," \or ", 1, -1, 1)
        strString = replace(strString," and "," \and ", 1, -1, 1)
        strString = replace(strString,"drop","\drop", 1, -1, 1)
        strString = replace(strString,"union","\union", 1, -1, 1)
        strString = replace(strString,"into","\into", 1, -1, 1)

        'Return cleaned value.
        SQLClean = Trim(strString)

    End If
End Function

tadman · Accepted Answer

Please, DO NOT under any circumstances attempt to write your own SQL escaping code unless it is purely an academic exercise. You will get it wrong. If someone uses a SQL injection attack tool on your site you will suffer severe consequences. Businesses and careers have been destroyed by people taking a casual approach to this.

It took me all of three minutes to find an example on StackOverflow talking about Classic ASP and MySQL queries using parameters.

Please, please, please use the official facilities and do not roll your own.

SQL Injection Is this Good

Answers (2)

Related Questions