Comments on: Users are Evil (or, How to Protect Yourself From SQL Injection)

By: Spencer Ruport

Spencer Ruport — Thu, 26 Apr 2007 18:48:50 +0000

Good advice. For most applications I’ve found that the following two functions when applied to any user inputs protect against any sort of SQL injection. iP is used for input that’s supposed to be numerical and sP is used for input thats supposed to be text.

Public Function iP(val As Variant) As Integer
On Error Resume Next
iP = 0
iP = CInt(val) * 1
If IsNull(iP) Then
iP = 0
End If
End Function
Public Function sP(val As Variant) As String
sP = Replace(CStr(val), “‘”, “””)
End Function

By: Ravi Magod

Ravi Magod — Wed, 17 Jan 2007 11:42:24 +0000

It is sort of scaring to know how evil people can make life hell for others.

Thanks, “To be fore warned is to be fore armed”

By: Blake

Blake — Sat, 09 Dec 2006 17:33:29 +0000

I had heard of SQL injection, but hadn’t had time to look too deeply into it.

Thanks for the heads-up and the examples. I’m sure there is a lot more to having a ‘completely secure’ (as though those two words can really be put together) site, but every little bit helps.