Reducing the Risk of SQL Injection Attack

Databases can be compromised if they are open to SQL Injection Attack. Stripping invalid characters from form inputs will reduce this risk.

If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.

As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.

The code below removes all non-alphanumeric characters from the input string:

'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")

'call the function to use
strUsername = stripString(strUsername)
strPassword = stripString(strPassword)

'function to strip all non-alphnumric characters
function stripString(strInput)
 Dim objRE
 Set objRE = New RegExp
 With objRE
  .Pattern = "[^A-Za-z0-9]"
  .Global = True
 End With
 stripChars = objRE.Replace(strInput, "")
 Set objRE = nothing
End Function