Menu
New to web development and taking over someones code. They have a function to prevent sql injection, for SQL Server database
function safe(val, maxsize)
dim i,
terms = array(
"cast",
"select",
"varchar",
"declare",
"drop",
";",
"--",
"insert",
"delete",
"xp_"
)
val = left(val,maxsize)
val = trim(val)
for i = 0 to ubound(terms)
val = replace(val, terms(i), "e_" & val & "_e", vbTextCompare)
next
val = replace(val, "'", "''")
makesafe = val
end function
Hesitant to touch this, but is this missing anything? Seems occasionally they get hacked
500
following article should help :
http://tugberkugurlu.com/archive/sql-injection-vs-lethal-injection-protection-against-sql-injection
It is not good idea to go down this path with string.Replace
176
I would completely scrap that function and start using a parameterized statement like Aaron mentioned in his comment. If you haven't done so before, there are various articles on how to do so. In the article I linked you to, look at step 2.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
