Database/form security

Databases can be compromised if they are open to SQL Injection Attack. Stripping invalid characters from form inputs will reduce this risk.

If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.

As usenames and passwords are usually strings of alphanumeric characters, you can strip out 'bad' characters from the input string
The easiest way to do this is to collect the form's input and check each character against a regular expression, removing any that are invalid.

The code below removes all non-alphanumeric characters from the input string:

'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")

'function to strip all non-alphnumric characters
function stripChars(strInput)
Dim objRE
Set objRE = New RegExp
With objRE
.Pattern = "[^A-Za-z0-9]"
.Global = True
End With
stripChars = objRE.Replace(strInput, "")
Set objRE = nothing
End Function

'this is the function in use
strUsername = stripChars(strUsername)
strPassword = stripChars(strPassword)