Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > asp classic > answers

Secure injection defense functions.

Member
  
Join Date: May 2007
Posts: 101
#1: Jun 18 '08
I'm looking to make a few asp functions to defend against attacks. The function will loop through an array, checking each item against the incoming statement. So, my question is, what are all the things I need to check for in my incoming statement?

Here are my arrays:

Expand|Select|Wrap|Line Numbers
  1. SQLCheck=array("select", "drop", ";", "--", "insert", "delete", "'")
  2.  
  3. HTMLCheck=array("<", ">", "javascript")
Are these all necessary, and are there any I've missed? Thanks for any help or pointers.

DrBunchman's Avatar
Moderator
  
Join Date: Jan 2008
Location: Winchester, UK
Posts: 930
#2: Jun 18 '08

re: Secure injection defense functions.

Hi zensunni,

You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

Hope this helps,

Dr B
jhardman's Avatar
Moderator
  
Join Date: Jan 2007
Location: logan, utah
Posts: 2,690
#3: Jun 25 '08

re: Secure injection defense functions.

Quote:

Originally Posted by DrBunchman

Hi zensunni,

You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

Hope this helps,

Dr B

That covers all the bases I can think of, but there are some alternative techniques you can try:

1- open a recordset - most injections will cause an error if used on a recordset

2- use only stored procedures - most injections are harmless if you don't execute SQL commands. Since stored procedures are not really SQL commands but instructions to execute a list of pre-compiled commands, it is highly unlikely that an injection could get through.

Jared
Reply

« previous question | next question »

Similar ASP / Active Server Pages bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,439 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved