0

I have some code that checks input values before I insert it into the db. And it works as it should, it checks all form inputs, but I would like it to exclude all the file upload inputs, so it doesn´t check the values of file inputs when I upload an image. But I don´t know how to make it work, so any input really appreciated. Thanks.

This is what I have now.

    Dim BlackList, ErrorPage
    BlackList = Array("#","$","%","^","&","|",_
                      "<",">","'","""","(",")",_
                      "--", "/*", "*/", "@@",_
                      "cursor","exec","execute",_
                      "nchar", "varchar", "nvarchar", "iframe", "char", "alter", "begin", "cast", "create", "insert","delete", "drop", "table"_
                      )

        Function CheckStringForSQL(str,varType) 
          On Error Resume Next 
          Dim lstr 
          ' If the string is empty, return false that means pass
          If ( IsEmpty(str) ) Then
            CheckStringForSQL = false
            Exit Function
          ElseIf ( StrComp(str, "") = 0 ) Then
            CheckStringForSQL = false
            Exit Function
          End If

          lstr = LCase(str)
          ' Check if the string contains any patterns in our black list
          For Each s in BlackList
            If(IsExceptionList(s,varType)=False) then
                If ( InStr (lstr, s) <> 0 ) Then
                  CheckStringForSQL = true
                  Exit Function
                End If
            End If
          Next
          CheckStringForSQL = false
        End Function 

        CookieExceptionList = Array("""","(",")","!")
        Function IsExceptionList(str,varType)
            If(varType="cookie") then
                For Each item in CookieExceptionList
                    If(item=str) then
                        IsExceptionList=True
                        Exit Function
                    End If
                Next
            End If
            IsExceptionList=False
        End Function

--SO HERE I NEED TO CHECK IF IT IS A FILE INPUT, AND IF SO, NOT RUN THE BELOW--
        For Each s in Request.form
          If ( CheckStringForSQL(Request.form(s),"form") ) Then

            feltext="Fel"
          End If
        Next
Claes Gustavsson
  • 5,509
  • 11
  • 50
  • 86
  • Just use an `ADODB.Command` object to build a parameterised query and you won't need to do any of this. You only need to sanitise your data like this if you are using dynamic SQL that leaves you open to SQL Injection *(which is bad practice anyway)*. You will not gain much benefit from this approach and a lot more false positives than it is worth *(speaking from experience)*. I'm sure this isn't the first time I've spoken to you about the benefits of using parameterised Queries? – user692942 Mar 12 '19 at 14:56
  • Ok thanks Lankymart, do you have any examples that you can share? I thought that using this as an include file it would go quick to add it to hundreds of sql statements instead of changing them all, thats why I tried this. – Claes Gustavsson Mar 12 '19 at 17:27
  • [Example of using dynamic SQL with `ADODB.Command`](https://stackoverflow.com/a/20702205/692942). – user692942 Mar 15 '19 at 07:31
  • [Another example here](https://stackoverflow.com/q/6377249/692942). – user692942 Mar 15 '19 at 07:33

0 Answers0