[devtalk] SQL injection attack help

Portman mrport at roadrunner.com
Wed Nov 11 21:12:45 GMT 2009


Here is my code:

    'Test email for characters that signal malicious content
                strEmail = Request.Form("email")
                Dim MailTest
                MailTest = inStr(strEmail,"<")
                if MailTest <> 0 then
                    Response.Redirect "../index.asp"
                end if
                MailTest = inStr(strEmail,"'")
                if MailTest <> 0 then
                    Response.Redirect "../index.asp"
                end if
                MailTest = inStr(strEmail,">")
                if MailTest <> 0 then
                    Response.Redirect "../index.asp"
                end if
               
                Dim RegEx
                    Set RegEx = New regexp
                    RegEx.Pattern = "<|>|&lt;|&gt;"
                    RegEx.Global = True
                    RegEx.IgnoreCase = True
                    Set RegEx = NOTHING

The code that I have found to be inserted most commonly is a <script> 
tag with a URL in it. Don't know how much of it I can post without it 
being stopped by spam filters, etc. Is this what you meant?

Riva

Robert Hoenig wrote:
> Is there anyway to send in a parameter list that might be inserted.
>
> Post your code again.


More information about the devtalk mailing list