CREATE FUNCTION [dbo].[udf_ContainsSQLInjection]
(
@Param1 varchar(max)
)
RETURNS BIT
AS
BEGIN
DECLARE @IsSuspect bit;
-- UDF assumes string will be left padded with a single space
SET @Param1 = ' ' + @Param1;
IF (
PATINDEX('% xp_%' , @Param1 )<> 0 OR
PATINDEX('% sp_%' , @Param1 )<> 0 OR
PATINDEX('% DROP %' , @Param1 )<> 0 OR
PATINDEX('% GO %' , @Param1 )<> 0 OR
PATINDEX('% INSERT %' , @Param1 )<> 0 OR
PATINDEX('% UPDATE %' , @Param1 )<> 0 OR
PATINDEX('% DBCC %' , @Param1 )<> 0 OR
PATINDEX('% SHUTDOWN %' , @Param1 )<> 0 OR
PATINDEX('% ALTER %' , @Param1 )<> 0 OR
PATINDEX('% CREATE %' , @Param1 )<> 0 OR
PATINDEX('%;%' , @Param1 )<> 0 OR
PATINDEX('% EXECUTE %' , @Param1 )<> 0 OR
PATINDEX('% EXEC %' , @Param1 )<> 0 OR
PATINDEX('% BREAK %' , @Param1 )<> 0 OR
PATINDEX('% BEGIN %' , @Param1 )<> 0 OR
PATINDEX('% CHECKPOINT %' , @Param1 )<> 0 OR
PATINDEX('% BREAK %' , @Param1 )<> 0 OR
PATINDEX('% COMMIT %' , @Param1 )<> 0 OR
PATINDEX('% TRANSACTION %' , @Param1 )<> 0 OR
PATINDEX('% CURSOR %' , @Param1 )<> 0 OR
PATINDEX('% GRANT %' , @Param1 )<> 0 OR
PATINDEX('% DENY %' , @Param1 )<> 0 OR
PATINDEX('% REVOKE %' , @Param1 )<> 0 OR
PATINDEX('% ESCAPE %' , @Param1 )<> 0 OR
PATINDEX('% WHILE %' , @Param1 )<> 0 OR
PATINDEX('% OPENDATASOURCE %' , @Param1 )<> 0 OR
PATINDEX('% OPENQUERY %' , @Param1 )<> 0 OR
PATINDEX('% OPENROWSET %' , @Param1 )<> 0
)
SELECT @IsSuspect = 1
ELSE
SELECT @IsSuspect = 0;
RETURN (@IsSuspect);
END
Never in the field of human conflict was so much owed by so many to so few. All our hearts go out to the developers, whose brilliant actions we see with our own eyes day after day…