asp classic SQL Injection [closed]

Question

asp classic SQL Injection [closed]

Navigation

#1 by (2 votes)
#2 by (0 votes)

2

I have been looking for functions in% classic ASP to avoid sql Injection and from what I have seen there is no function. Yes I have seen that they exist in .NET but I have not found anything for ASP classic.

Is there really none?

For now I have planned to create a couple of functions that first filter by type of field (if it is numeric, date ...), then by a certain size and finally check that words like SELECT are not entered, INSERT , ... and special characters (*, =, ...)

Any recommendations?

sql asp

asked by APJ 20.07.2017 в 08:57

source

2 answers

using Split in Python How could a search engine in laravel 5.1?

score 2 · Answer 1

Yes, there are queries parameterized in the same way as in asp.net. Here and here you have a couple of articles explaining how to do it in classic asp.

With the parameterization the risk of sql injection is practically avoided. Explain how and why it is a bit long, you can take a look at this question in English. You also have to avoid generating dynamic queries, for example, that the name of the table is in a variable, but in general using parameterized queries you are totally safe.

score 0 · Answer 2

In my day I found a function that what it does is clean the chains or parameters, everything related to sentences SQL . So I pass the parameters before by this function to clean them

function clear_param(texto)

dim texto_final
    texto_final=replace(texto, "SELECT", "")
    texto_final=replace(texto_final, "‘", "")
    texto_final=replace(texto_final, "UPDATE", "")
    texto_final=replace(texto_final, "DELETE", "")
    texto_final=replace(texto_final, "DROP", "")
    texto_final=replace(texto_final, "UNION ", "")
    texto_final=replace(texto_final, "%", "&#37;")
    texto_final=replace(texto_final, "%00", "")
    texto_final=replace(texto_final, "%27", "")
    texto_final=replace(texto_final, "%3D", "")
    texto_final=replace(texto_final, " TOP ", "")
    texto_final=replace(texto_final, " GROUP ", "")
    texto_final=replace(texto_final, "=", "")
    texto_final=replace(texto_final, ">", "&#62;")
    texto_final=replace(texto_final, "<", "&#60;")
    texto_final=replace(texto_final, "IIF", "")
    texto_final=replace(texto_final, "FROM", "")
    texto_final=replace(texto_final, " OR ", "")
    texto_final=replace(texto_final, " AND ", "")
    texto_final=replace(texto_final, " IN ", "")
    texto_final=replace(texto_final, " CHR ", "")
    texto_final=replace(texto_final, " ASC(", "")
    texto_final=replace(texto_final, " CurDir ", "")
    texto_final=replace(texto_final, "LEN(", "")
    texto_final=replace(texto_final, "SHELL", "")
    texto_final=replace(texto_final, "ASCII", "")
    texto_final=replace(texto_final, "SUBSTRING", "")
    texto_final=replace(texto_final, "LENGTH", "")
    texto_final=replace(texto_final, "version", "")
    texto_final=replace(texto_final, "exists", "")
    clear_param=texto_final

End function