Anti-SQL Injection Function
Snippet Menu
4
Mon. Nov. 13th, 2006 8:58 AM
This is a quick and dirty function for preventing SQL Injection, the function is designed to clean any variable that will be concatenated into an SQL query. Apostrophes and Double-Quotes are changed to entities in order to ensure that encoding does not become an issue when the content is pulled back into a page. I'm looking for criticism here, I want to know if this is secure or not.
Function mysql_escape(thisWord)
Dim newWord
If thisWord <> "" Then
newWord = Replace(thisWord,"/*","")
newWord = Replace(newWord,"*/","")
newWord = Replace(newWord,"UNION","")
newWord = Replace(newWord,";","\;")
newWord = Replace(newWord,"'","&rsquo;")
newWord = Replace(newWord,"""","&quot;")
newWord = Replace(newWord,"\","\\")
End If
mysql_escape = newWord
End Function
Example Use:
sql = "SELECT * FROM table WHERE key = '" & mysql_escape(Request.QueryString("value")) & "'"
...
Matt Atkins
Comments
Voting
Votes Up
Votes Down
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}