Hi guys

I hope you can help.

I need to update a very old website that is using classic ASP code and inline sql queries. Thereís a lot of bad practice going on but I need to quickly protect the site as best I can while we have the resources to update the site and move it over to a more secure environment.

Basically, what I need is a regular expression or function that will blacklist all of the usual suspects (ie words and characters) that are used as SQL injection. I fully appreciate that there is no concrete way to totally protect the site against SQL injection by using a blacklist (or whitelist). However, I just need to buy myself a little time while I figure everything out, and have the time, to update the entire scripting.

Unfortunately, Iím not that great on classic asp coding but what I have found so far are these three functions:

------------FUNCTION 1--------------
function SQLInject(strWords)
dim badChars, newChars, i
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_")
newChars = strWords
for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
newChars = newChars
newChars= replace(newChars, "'", "''")
newChars= replace(newChars, " ", "")
newChars= replace(newChars, "'", "|")
newChars= replace(newChars, "|", "''")
newChars= replace(newChars, "\""", "|")
newChars= replace(newChars, "|", "''")
end function
------------FUNCTION 1--------------

------------FUNCTION 2--------------
function SQLInject2(strWords)
dim badChars, newChars, tmpChars, regEx, i
badChars = array( _
"select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
"drop(.*)(from|aggre|role|assem|key|cert|cont|cred ential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure |que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
"alter(.*)(application|assem|key|author|cert|crede ntial|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|re mote|role|route|serv|table|u ser|view|xml){1}", _
"xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
"dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
"load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
"updatetext", "writetext", "reconfigure", _
"/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(")
newChars = strWords
for i = 0 to uBound(badChars)
Set regEx = New RegExp
regEx.Pattern = badChars(i)
regEx.IgnoreCase = True
regEx.Global = True
newChars = regEx.Replace(newChars, "")
Set regEx = nothing
newChars = replace(newChars, "'", "''")
SqlInject2 = newChars
end function
------------FUNCTION 2--------------

------------FUNCTION 3--------------
Function isURL(strURL)

Dim Slug, re, re2

'Everything to lower case
Slug = lcase(strURL)

' Replace - with empty space
Slug = Replace(Slug, "-", " ")

' Replace unwanted characters with space
Set re = New RegExp
re.Pattern = "[^a-z0-9\s-]"
re.Global = True
Slug = re.Replace(Slug, " ")

' Replace multple white spaces with single space
Set re2 = New RegExp
re2.Pattern = "\s+"
re2.Global = True
Slug = re2.Replace(Slug, " ")

Slug = Trim(Slug)

' Replace white space with -
Slug = Replace(Slug," ", "-")

isURL = Slug

End Function

------------FUNCTION 3--------------

Can anyone let me know if the above is any good and if so which one is the best one? If not, can anyone suggest a sample script I can use just to get by for the moment? Any help would be fully appreciated.

Best regards

Rod from the UK