For some time I have been designing all my database with unbound forms that input and output data on a SQL server using VBA. To protect against SQL injection on all my forms for adding and editing records I use a simple function I created:
It works by replacing potentially harmful characters/words in the form with less harmful ones so the SQL doesn't see the harmful ones. But at the same time it actually changes what the user inputs, which can cause upset. I have a couple of questions:
Code:
Public Function MakeSqlSafe(varInput As Variant) As String
Dim strInput As String: strInput = CStr(varInput)
If InStr(strInput, ";") > 0 Then
strInput = Replace(strInput, ";", ",")
End If
If InStr(strInput, "drop") > 0 Then
strInput = Replace(strInput, "drop", "droop")
End If
If InStr(strInput, "'") > 0 Then
strInput = Replace(strInput, "'", "''")
End If
If InStr(strInput, "--") > 0 Then
strInput = Replace(strInput, "--", " - - ")
End If
If InStr(strInput, "/*") > 0 Then
strInput = Replace(strInput, "/*", "/ *")
End If
If InStr(strInput, "*/") > 0 Then
strInput = Replace(strInput, "*/", "* /")
End If
If InStr(strInput, "xp_") > 0 Then
strInput = Replace(strInput, "xp_", "x p _")
End If
MakeSqlSafe = strInput
End Function
It works by replacing potentially harmful characters/words in the form with less harmful ones so the SQL doesn't see the harmful ones. But at the same time it actually changes what the user inputs, which can cause upset. I have a couple of questions:
- Is there any way to protect against SQL Injection without being so intrusive?
- Have I covered everything?