New to web development and taking over someones code. They have a function to prevent sql injection, for SQL Server database
function safe(val, maxsize)
dim i,
terms = array(
"cast",
"select",
"varchar",
"declare",
"drop",
";",
"--",
"insert",
"delete",
"xp_"
)
val = left(val,maxsize)
val = trim(val)
for i = 0 to ubound(term开发者_开发百科s)
val = replace(val, terms(i), "e_" & val & "_e", vbTextCompare)
next
val = replace(val, "'", "''")
makesafe = val
end function
Hesitant to touch this, but is this missing anything? Seems occasionally they get hacked
following article should help :
http://tugberkugurlu.com/archive/sql-injection-vs-lethal-injection-protection-against-sql-injection
It is not good idea to go down this path with string.Replace
I would completely scrap that function and start using a parameterized statement like Aaron mentioned in his comment. If you haven't done so before, there are various articles on how to do so. In the article I linked you to, look at step 2.
I would not rely on such a function to prevent sql injection attacks. Parameterized queries are a must. There are almost surely some injection texts you will miss using the approach of the method you listed.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论