Systems, Solutions, Software & Stuff
If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.
As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.
The code below removes all non-alphanumeric characters from the input string:
<%
'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")
'call the function to use
strUsername = stripString(strUsername)
strPassword = stripString(strPassword)
'function to strip all non-alphnumric characters
function stripString(strInput)
Dim objRE
Set objRE = New RegExp
With objRE
.Pattern = "[^A-Za-z0-9]"
.Global = True
End With
stripChars = objRE.Replace(strInput, "")
Set objRE = nothing
End Function
%>