Databases can be compromised if they are open to SQL Injection Attack. Stripping invalid characters from form inputs will reduce this risk.
If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.
As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.
The code below removes all non-alphanumeric characters from the input string:
<% 'gets the text submitted via a form Dim strUsername, strPassword strUsername = Request.Form("username") strPassword = Request.Form("password") 'call the function to use strUsername = stripString(strUsername) strPassword = stripString(strPassword) 'function to strip all non-alphnumric characters function stripString(strInput) Dim objRE Set objRE = New RegExp With objRE .Pattern = "[^A-Za-z0-9]" .Global = True End With stripChars = objRE.Replace(strInput, "") Set objRE = nothing End Function %>