I have found out that our software is vulnerable to sql-injection.
Our Software is written with C# and a kind of the Gizmox framework. Our framework can’t deal with parameterized queries and uses string concatenation to build the sql queries.
I know that this all sounds very bad, but on the long term we will refactor this. On the short term we need a quick (and maybe dirty) hotfix.
Our idea is to validate the userinput against the following blacklist with regex:
"--
" , ";--
" , ";
" , "/*
" , "*/
" , "@@
" , "@
" , "char
" , "nchar
" , "varchar
" , "nvarchar
" , "alter
" , "begin
" , "cast
" , "create
" , "cursor
" , "declare
" , "delete
" , "drop
" , "end
" , "exec
" , "execute
" , "fetch
" , "insert
" , "kill
" , "open
" , "select
" , "sys
" , "sysobjects
" , "syscolumns
" , "table
" , "update
"
Due to the fact that a blacklist is the weakest sql protection that you can have, I want to ask for a better solution.