hi all

I've found this little script which may be of help against sql injection attacks, it strips the characters in the array from a string, could this be edited to strip characters from a form field?
If so how? and then how would i use it?

<%
function killChars(strWords)
dim badChars dim newChars
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_" newChars = strWords
for i = 0 to uBound(badChars) newChars = replace(newChars, badChars(i), "" next
killChars = newChars
end function
%>

thanks

Dave

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

hello??<img src=../images/dmxzone/forum/icon_smile_big.gif border=0 align=middle>

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

Wheres the best place to use this function Dave?

Regards,
Dave

UD4 | Flash 5 | SQL | Access | ASP/VBScript | XP-Pro

Dunno mate, that's what I'm trying to find out <img src=../images/dmxzone/forum/icon_smile_wink.gif border=0 align=middle>

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

Don't use it as a function, instead use as follows:

&lt;%
varString = Request("textFieldName" ' The text entered in the textbox
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_" ' The bad words we want to get rid of

' Loop throgh the list of bad words and replace them with nothing.
for i = 0 to uBound(badChars) varNewString = replace(varString, badChars(i), ""
next

' Now replace Single quotes with 2 single quotes
varNewString = Replace(varNewString, "'", "''"
%&gt;

Now set up your recordset with a runtime value of varNewString, make sure that the code above appears before the Recordset code.






Regards

Owen.

Multiple Parameter UD4 / Access 2000 Database Search Tutorial:
www.tdsf.co.uk/tdsfdemo

Thank you Owen, clear and concise, I'll try it out later, thanks again

Dave

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome