This SQL Server user-defined scalar function accepts a varchar(max) data type parameter. It returns a bit value (1 or 0), based on whether the passed parameter contains suspicious values (as defined by the function). So, if the input parameter contains a call to a command such as "DELETE" or "SHUTDOWN", the flag is set to "1".
-- ============================================================================
-- Check Statement for SQL Injection
--
-- This scalar UDF accepts a varchar(max) data type parameter. It returns a bit
-- value (1 or 0), based on whether the passed parameter contains suspicious
-- values (as defined by the function). So, if the input parameter contains a
-- call to a command such as "DELETE" or "SHUTDOWN", the flag is set to "1":
-- ============================================================================
if exists(select * from sysobjects where name = 'CheckForSQLInjection')
begin
print '- Dropping existing "dbo.CheckForSQLInjection" UDF.';
drop function dbo.CheckForSQLInjection;
end;
go
print '- Creating "dbo.CheckForSQLInjection" UDF.';
go
create function dbo.CheckForSQLInjection (
@TSQLString varchar(max)
) returns bit
as
begin
declare @IsSuspect bit;
-- UDF assumes string will be left padded with a single space:
set @TSQLString = ' ' + @TSQLString;
if (
PATINDEX('% xp_%', @TSQLString) <> 0 or
PATINDEX('% sp_%', @TSQLString) <> 0 or
PATINDEX('% DROP %', @TSQLString) <> 0 or
PATINDEX('% GO %', @TSQLString) <> 0 or
PATINDEX('% INSERT %', @TSQLString) <> 0 or
PATINDEX('% UPDATE %', @TSQLString) <> 0 or
PATINDEX('% DBCC %', @TSQLString) <> 0 or
PATINDEX('% SHUTDOWN %', @TSQLString) <> 0 or
PATINDEX('% ALTER %', @TSQLString) <> 0 or
PATINDEX('% CREATE %', @TSQLString) <> 0 or
PATINDEX('%;%', @TSQLString) <> 0 or
PATINDEX('% EXECUTE %', @TSQLString) <> 0 or
PATINDEX('% BREAK %', @TSQLString) <> 0 or
PATINDEX('% BEGIN %', @TSQLString) <> 0 or
PATINDEX('% CHECKPOINT %', @TSQLString) <> 0 or
PATINDEX('% BREAK %', @TSQLString) <> 0 or
PATINDEX('% COMMIT %', @TSQLString) <> 0 or
PATINDEX('% TRANSACTION %', @TSQLString) <> 0 or
PATINDEX('% CURSOR %', @TSQLString) <> 0 or
PATINDEX('% GRANT %', @TSQLString) <> 0 or
PATINDEX('% DENY %', @TSQLString) <> 0 or
PATINDEX('% ESCAPE %', @TSQLString) <> 0 or
PATINDEX('% WHILE %', @TSQLString) <> 0 or
PATINDEX('% OPENDATASOURCE %', @TSQLString) <> 0 or
PATINDEX('% OPENQUERY %', @TSQLString) <> 0 or
PATINDEX('% OPENROWSET %', @TSQLString) <> 0 or
PATINDEX('% EXEC %', @TSQLString) <> 0
)
begin
select @IsSuspect = 1;
end
else
begin
select @IsSuspect = 0;
end
return (@IsSuspect);
end
go
-- ===========================================================================
-- Example Usage
-- ===========================================================================
-- Use AdventureWorks2012;
-- go
-- select dbo.CheckForSQLInjection ('SELECT * FROM HumanResources.Department'); --> 0
-- select dbo.CheckForSQLInjection (';SHUTDOWN'); --> "1", contains "SHUTDOWN"
-- select dbo.CheckForSQLInjection ('DROP HumanResources.Department'); --> "1", contains "DROP"