function <%
function Sqlcheck (str,errtype)
If INSTR (LCase (str), "select") > 0 or INSTR (LCase (str), "insert") > 0 or INSTR (LCase (str), "delete") > 0 or Instr (LCase (str), "delete from") > 0 or INSTR (LCase (str), "Count (") > 0 or INSTR (LCase (str), "drop table") > 0 or INSTR ( LCase (str), "update") > 0 or INSTR (LCase (str), "truncate") > 0 or INSTR (LCase (str), "ASC (") > 0 or INSTR (str , "Mid (") > 0 or INSTR (LCase (str), "char (") > 0 or INSTR (LCase (str), "xp_cmdshell") > 0 or INSTR (LCase (str), "Exec m Aster ") > 0 or INSTR (LCase (str)," net localgroup Administrators ") > 0 or INSTR (LCase (str)," and ") > 0 or Instr (LCa SE (str), "NET user" > 0 or INSTR (LCase (str), "or") > 0 Then
Response.Write ("<script language=javascript>" & vbCrLf & "Window.location.href = ' Showerror.asp?errtype = "& Errtype &" "& vbCrLf &" </script> ")
Response.End
End If
Str=replace (Str, "_", "") ' Filter SQL injection _
Str=replace (STR, "*", "") ' Filter SQL injection *
Str=replace (Str, "", "") ' Filter SQL injection space
Str=replace (STR,CHR (34), "") ' Filter SQL injection '
Str=replace (STR,CHR (39), "") ' Filter SQL injection '
Str=replace (STR,CHR (91), "") filters SQL injection [
Str=replace (STR,CHR (93), "") ' Filter SQL injection '
Str=replace (STR,CHR (37), "") ' Filter SQL injection%
Str=replace (STR,CHR (58), "") Filters SQL injection:
Str=replace (STR,CHR (59), "") ' Filters SQL injection;
Str=replace (STR,CHR (43), "") Filter SQL injection +
Str=replace (Str, "{", "") ' Filter SQL injection {
Str=replace (Str, "}", "") ' Filter SQL injection}
Sqlcheck=str ' returns STR after substitution of above characters
End Function
%>