I have found out that our software is vulnerable to sql-injection.
Our Software is written with C# and a kind of the Gizmox framework. Our framework can’t deal with parameterized queries and uses string concatenation to build the sql queries.
I know that this all sounds very bad, but on the long term we will refactor this. On the short term we need a quick (and maybe dirty) hotfix.
Our idea is to validate the userinput against the following blacklist with regex:
"--" , ";--" , ";" , "/*" , "*/" , "@@" , "@" , "char" , "nchar" , "varchar" , "nvarchar" , "alter" , "begin" , "cast" , "create" , "cursor" , "declare" , "delete" , "drop" , "end" , "exec" , "execute" , "fetch" , "insert" , "kill" , "open" , "select" , "sys" , "sysobjects" , "syscolumns" , "table" , "update"
Due to the fact that a blacklist is the weakest sql protection that you can have, I want to ask for a better solution.