MusicManNick
New Member
I have done quiet a bit of research on this but I'm still having a problem understanding it. However I want to make sure that I am properly protected. I wrote a function in Classic ASP to help prevent a SQL Injection or possible brute force to the DB. Could you guys give me your own input and suggestions if I need to add to it or remove things or even correct issues to make it more secure? Thank you very much in advance!!I use this below right before inserting in to a MySQL database. An example insert:\[code\]conn.execute("INSERT INTO " & employees & "(eid, first_name, last_name) VALUES('" & Clng(strEID) & "','" & SQLClean(strfirstname) & "','" & SQLClean(strlastname) & "');")\[/code\]The function....\[code\]Private Function SQLClean(ByVal strString) If strString <> "" Then strString = Trim(strString) 'Remove malisous charcters from sql\ strString = replace(strString,"-shutdown","", 1, -1, 1) strString = replace(strString,"\","\\", 1, -1, 1) strString = replace(strString,"=","\=", 1, -1, 1) strString = replace(strString,",","\,", 1, -1, 1) strString = replace(strString,"`","\`", 1, -1, 1) strString = replace(strString,"&","\&", 1, -1, 1) strString = replace(strString,"/","\/", 1, -1, 1) strString = replace(strString,"[","\[", 1, -1, 1) strString = replace(strString,"]","\]", 1, -1, 1) strString = replace(strString,"{","\{", 1, -1, 1) strString = replace(strString,"}","\}", 1, -1, 1) strString = replace(strString,"(","\(", 1, -1, 1) strString = replace(strString,")","\)", 1, -1, 1) strString = replace(strString,";","\;", 1, -1, 1) strString = replace(strString,"+","\+", 1, -1, 1) strString = replace(strString,"<","\<", 1, -1, 1) strString = replace(strString,">","\>", 1, -1, 1) strString = replace(strString,"^","\^", 1, -1, 1) strString = replace(strString,"@","\@", 1, -1, 1) strString = replace(strString,"$","\$", 1, -1, 1) strString = replace(strString,"%","\%", 1, -1, 1) strString = replace(strString,"!","\!", 1, -1, 1) strString = replace(strString,"*","\*", 1, -1, 1) strString = replace(strString,"~","\~", 1, -1, 1) strString = replace(strString,"#","\#", 1, -1, 1) strString = replace(strString,"?","\?", 1, -1, 1) strString = replace(strString,"'","\'", 1, -1, 1) strString = replace(strString,"""","\""", 1, -1, 1) strString = replace(strString,"select","\select", 1, -1, 1) strString = replace(strString,"insert","\insert", 1, -1, 1) strString = replace(strString,"update","\update", 1, -1, 1) strString = replace(strString,"delete","\delete", 1, -1, 1) strString = replace(strString," or "," \or ", 1, -1, 1) strString = replace(strString," and "," \and ", 1, -1, 1) strString = replace(strString,"drop","\drop", 1, -1, 1) strString = replace(strString,"union","\union", 1, -1, 1) strString = replace(strString,"into","\into", 1, -1, 1) 'Return cleaned value. SQLClean = Trim(strString) End IfEnd Function\[/code\]