SQL Injection Attacks

[benjamin1]

Hello,

Here is a great site to learn about SQL Injection attacks. Don't let this happen to you!

unixwiz.net/techtips/sql-injection.html

[darencraddock]

Many websites that use some form of database (eg MySQL) are vulnerable to SQL Injection Attacks (SQLIA), but there's no need to be! It's very simple to prevent - I'll show you how to do this with your own RB SQLite apps in a few moments ...

SQLIA work by 'injecting' login scripts with SQL.

e.g imagine you have a Login page on your website, which requires a user to enter a Username and a Password. When they click a 'Submit' button, your RB code queries a SQLite (or MySQL or whatever) database to see if the Username & Password exist and are correct.

With me so far? Cool. OK, so you probably use a string like this to query your database:

sql$ = "SELECT * FROM tblMember WHERE Username ='" + username$ + "' AND Password ='" . password$ + "'"

(where tblMember is your table containing members details).

If you leave it at that, you're vulnerable to SQLIA !!! A hacker can inject SQL by using quote-characters (or slash characters) in the Username or Password fields. A quickie Google search about SQLIA will show you what I mean. Hackers can then login to your 'secure' area, or even DROP your tables (and hence lose all your valuable data!).

So here's my simple fix: prevent users from submitting 'bad' characters (single/double quotes, slashes etc), by filtering input fields. I use a simple function (see below) called cleanString that only allows A-Z, a-z, 0-9, @, ., SPACE characters to 'pass-through'. Copy/paste and try it out for yourself! You can use my code for any purpose, whether personal, educational or commercial, but perhaps you might kindly mention me as the author (Daren Craddock, Sheffield, UK)! Here we are then ...

'custom function to filter alphanumeric characters
'(protect against SQL Injection Attack)
'only passes A-Z | a-z | 0-9 | @ | ( ) | SPACE | .
function cleanString$(inputvalue$)
outputvalue$ = ""
'find string length
length = len(inputvalue$)
'loop thru each character, only 'pass' if valid
for i = 1 to length
character$ = mid$(inputvalue$, i, 1)
'check for valid characters
if character$ = chr$(46) or character$ = chr$(32) _
or character$ = chr$(64) _
or (character$ >= chr$(48) and character$ <= chr$(57)) _
or (character$ >= chr$(65) and character$ <= chr$(90)) _
or (character$ >= chr$(97) and character$ <= chr$(122)) then
'character OK, so add to output string
outputvalue$ = outputvalue$ + character$
end if
next i
'return cleaned-up, SQL safe string
cleanString$ = outputvalue$
end function

[start]
cls
'get user input to test this function
print "Prevent SQL Injection Attack"
print
input "Enter a string of text"; inputString$

'clean the string and display result
outputString$ = cleanString$(inputString$)
print
print "You entered:"
print inputString$
print
print "Cleaned-up version is:"
print outputString$
print

input "Another (y/n)"; yesno$
if instr("YESyes", yesno$)then
goto [start]
end if
print
print "Goodbye!"
end