Posted By

elightbo on 09/02/08


Tagged

sql injection ASP


Versions (?)

Who likes this?

8 people have marked this snippet as a favorite

Scooter
OPTICnerd
nelda751
benrudolph
asifrizvigmailcom
karp13
wireplay
britevents


Prevent SQL Injection


 / Published in: ASP
 

URL: http://isc.sans.org/diary.html?storyid=4615&rss

  1. ,,,,,,Begin Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
  2. Function cleanchars(str)
  3. 'this gets put in the program that you want to cleans the data with.
  4. 'fname = cleanchars(trim(Request("xxxxx"))) <<<Function Call<<<<<<
  5. 'here is the call for the function
  6. 'Author:
  7. 'President Brian Erman
  8. 'Nopork Motorsports, Inc.
  9. '2585 Hamner Ave,
  10. 'Norco CA 92860
  11. '
  12. 'This is licensed under the creative commons attribution-noncommercial 3.0 framework
  13. 'http://creativecommons.org/licenses/by-nc/3.0/us/
  14. '
  15. 'This function assumes you are using CDO as your object for sending mail, if
  16. 'you have CDONTS on your server, simply change the CDO to CDONTS and it
  17. 'should process exactly the same.
  18. '
  19. '
  20. newstr = ""
  21.  
  22. if InStr(str, "'") > 0 then
  23. str = ""
  24. end if
  25.  
  26. if instr(str, "DECLARE") > 0 then
  27. newstr = ""
  28. Set Mailer = Server.CreateObject("CDO.Message")
  29. Mailer.From = "Email_From"
  30. Mailer.To = "Email_To"
  31. Mailer.Subject = "Your_Domain Hacking Attempt"
  32. msg = Date & VbCrLf & VbCrLf
  33. msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
  34. msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
  35. msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
  36. msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
  37. msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
  38. msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
  39. Mailer.TextBody = msg
  40. Mailer.Send
  41. Set Mailer = nothing
  42. Response.Redirect("http://www.google.com/")
  43. end if
  44.  
  45. For ii = 1 to Len(str)
  46. char = Mid(str,ii,1)
  47. Select Case char
  48. case " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
  49. "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y",
  50. "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N",
  51. "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2",
  52. "3", "4", "5", "6", "7", "8", "9", "@", ".", "-", "_", "/", "&"
  53. newstr = newstr & char
  54. Case Else
  55.  
  56. Set Mailer = Server.CreateObject("CDO.Message")
  57. Mailer.From = "Email_From"
  58. Mailer.To = "Email_To"
  59. Mailer.Subject = "Your_Domain Hacking Attempt"
  60. msg = Date & VbCrLf & VbCrLf
  61. msg = msg & "Hacking Blocked, but check the data" & VbCrLf & VbCrLf
  62. msg = msg & "STR: " & str & " char " & char & VbCrLf & VbCrLf
  63. msg = msg & "Here is the IP " & Request.ServerVariables("REMOTE_ADDR") & VbCrLf & VbCrLf
  64. msg = msg & "Web Page " & Request.ServerVariables("URL") & VbCrLf & VbCrLf
  65. msg = msg & "Host " & Request.ServerVariables("HOST") & VbCrLf & VbCrLf
  66. msg = msg & "Length of String " & len(str) & vbcrlf & vbcrlf
  67. Mailer.TextBody = msg
  68. Mailer.Send
  69. Set Mailer = nothing
  70.  
  71. End Select
  72. Next
  73.  
  74. if len(str) > 350 then
  75. newstr = ""
  76. Response.Redirect("http://www.Your_Domain/")
  77. end if
  78.  
  79. if instr(str, "DECLARE") > 0 then
  80. newstr = ""
  81. Response.Redirect("http://www.Your_Domain/")
  82. end if
  83.  
  84.  
  85. if instr(str, "declare") > 0 then
  86. Response.Redirect("http://www.Your_Domain/")
  87. end if
  88.  
  89. if instr(str, "www") > 0 then
  90. Response.Redirect("http://www.Your_Domain/")
  91. end if
  92.  
  93. newstr = Replace(lcase(newstr), " or ", "")
  94. newstr = Replace(lcase(newstr), " and ", "")
  95. newstr = Replace(lcase(newstr), " from ", "")
  96. newstr = Replace(lcase(newstr), " into ", "")
  97. newstr = Replace(lcase(newstr), "insert", "")
  98. newstr = Replace(lcase(newstr), "update", "")
  99. newstr = Replace(lcase(newstr), "set", "")
  100. newstr = Replace(lcase(newstr), "where", "")
  101. newstr = Replace(lcase(newstr), "drop", "")
  102. newstr = Replace(lcase(newstr), "values", "")
  103. newstr = Replace(lcase(newstr), "null", "")
  104. newstr = Replace(lcase(newstr), "http", "")
  105. newstr = Replace(lcase(newstr), "js", "")
  106. newstr = Replace(lcase(newstr), "declare", "")
  107. newstr = Replace(lcase(newstr), "script", "")
  108. newstr = Replace(lcase(newstr), "xp_", "")
  109. newstr = Replace(lcase(newstr), "CRLF", "")
  110. newstr = Replace(lcase(newstr), "%3A", "")'; HEX
  111. newstr = Replace(lcase(newstr), "%3B", "")':
  112. newstr = Replace(lcase(newstr), "%3C", "")'<
  113. newstr = Replace(lcase(newstr), "%3D", "")'=
  114. newstr = Replace(lcase(newstr), "%3E", "")'>
  115. newstr = Replace(lcase(newstr), "%3F", "")'?
  116. newstr = Replace(lcase(newstr), "&quot;", "")'"
  117. newstr = replace(lcase(newstr), "&amp;", "")'&
  118. newstr = replace(lcase(newstr), "&lt;", "")'<
  119. newstr = replace(lcase(newstr), "&gt;", "")'&
  120. newstr = replace(lcase(newstr), "exec", "")'&
  121. newstr = replace(lcase(newstr), "onvarchar", "")'&
  122. newstr = replace(lcase(newstr), "set", "")'&
  123. newstr = replace(lcase(newstr), " cast ", "")'&
  124. newstr = replace(lcase(newstr), "00100111", "")'
  125. newstr = replace(lcase(newstr), "00100010", "")';
  126. newstr = replace(lcase(newstr), "00111100", "")'<
  127. newstr = replace(lcase(newstr), "select", "")'<
  128. newstr = replace(lcase(newstr), "0x", "")'<
  129. newstr = replace(lcase(newstr), "exe", "")'<
  130. newstr = replace(lcase(newstr), "delete", "")'<
  131. newstr = replace(lcase(newstr), "go ", "")'<
  132. newstr = replace(lcase(newstr), "create", "")'<
  133. newstr = replace(lcase(newstr), "convert", "")'<
  134.  
  135. cleanchars = newstr
  136.  
  137. End Function
  138. ,,,,,,End Function,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Report this snippet  

You need to login to post a comment.