Søren Jacob Lauritsen's Weblog

Windows, Windows Server, Windows Phone, .NET and other cool stuff.

Injection Proof'd - The Daily WTF

Injection proof'd code: 
internal static string FQ(string WhichField)
{
   string expression = "";
   int num2 = Strings.Len(WhichField);
   for (int i = 1; i <= num2; i++)
   {
      string str = Strings.Mid(WhichField, i, 1);
      if (str == "'")
      {
         str = str + "'";
      }
      expression = expression + str;
   }
   return Strings.Trim(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
         expression, 
            "xp_", "", 1, -1, CompareMethod.Text), 
            "sp_", "", 1, -1, CompareMethod.Text), 
            "--", "-", 1, -1, CompareMethod.Binary), 
            "alter table", "", 1, -1, CompareMethod.Text), 
            "drop table", "", 1, -1, CompareMethod.Text), 
            "create table", "", 1, -1, CompareMethod.Text), 
            "create database", "", 1, -1, CompareMethod.Text), 
            "alter table", "", 1, -1, CompareMethod.Text), 
            "alter column", "", 1, -1, CompareMethod.Text), 
            "drop column", "", 1, -1, CompareMethod.Text), 
            "drop database", "", 1, -1, CompareMethod.Text), 
            "1=1", "", 1, -1, CompareMethod.Text), 
            "union select", "", 1, -1, CompareMethod.Text), 
            "/*", "", 1, -1, CompareMethod.Text), 
            "*/", "", 1, -1, CompareMethod.Text), 
            "boot.ini", "", 1, -1, CompareMethod.Text), 
            "../", "", 1, -1, CompareMethod.Text), 
            "%27", "", 1, -1, CompareMethod.Text), 
            ";dir", "", 1, -1, CompareMethod.Text), 
            "|dir", "", 1, -1, CompareMethod.Text), 
            "<script", "", 1, -1, CompareMethod.Text), 
            "</script>", "", 1, -1, CompareMethod.Text), 
            "language=javascript", "", 1, -1, CompareMethod.Text), 
            "language=\"javascript\"", "", 1, -1, CompareMethod.Text));
}
via thedailywtf.com

The above example from TDWTF is so typical. I really hate finding stuff like this in code and it makes me worry every time. Why are companies paying for code like this? I really do not understand. Quality assurance, quality assurance, quality assurance - learn it!