miércoles, 4 de agosto de 2010

Inyección de código SQL

Para evitar la inyección de código en nuestra página web, podemos usar la función siguiente, que ejecutaremos cada vez que pedimos un parámetro:

'Function IllegalChars to guard against SQL injection
Function Validar (sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", "alter", "update", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
if IllegalChars=True then
Validar=""
else
Validar=sInput
end if
End function

Ejemplo:
validar(request.querystring("parametro"))

No hay comentarios: