473,320 Members | 1,930 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Access / ASP hacked insert

I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL
and
not via web page/form.
I know this as I have some vbscript that prompts that all fields must be
filled in.
These INSERTed records have a miss match of characters including MIME ..
CONTENT etc.
Is there a way I prevent this? I',m thinking maybe a store procedure or a
function?
Thanks
Gord
--
Message posted via http://www.accessmonster.com
Nov 13 '05 #1
11 1812
On Fri, 23 Sep 2005 19:48:22 GMT, "Gord D via AccessMonster.com" <fo***@AccessMonster.com> wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL
and
not via web page/form.
I know this as I have some vbscript that prompts that all fields must be
filled in.
These INSERTed records have a miss match of characters including MIME ..
CONTENT etc.
Is there a way I prevent this? I',m thinking maybe a store procedure or a
function?
Thanks
Gord


Use Post method?
Check the referer? (to prevent people using phony forms)
Nov 13 '05 #2
rkc
Gord D via AccessMonster.com wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL
and
not via web page/form.
I know this as I have some vbscript that prompts that all fields must be
filled in.
These INSERTed records have a miss match of characters including MIME ..
CONTENT etc.
Is there a way I prevent this? I',m thinking maybe a store procedure or a
function?


Validate everything on the server side. It's mildly insane not to.
Nov 13 '05 #3
polite person wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL

[quoted text clipped - 8 lines]
Thanks
Gord


Use Post method?
Check the referer? (to prevent people using phony forms)


Yes, I do a post...Hmm i'll have to see if I can figure out what you mean by
the Referer. I'm assumeing
1.asp is the Form Page 2.asp is the SQL INSERT page.
So on page 2.asp if Referer on 1.asp then INSERT invalid....Hmm
Thanks I'll look into that.
--
Message posted via http://www.accessmonster.com
Nov 13 '05 #4
rkc wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL

[quoted text clipped - 6 lines]
Is there a way I prevent this? I',m thinking maybe a store procedure or a
function?


Validate everything on the server side. It's mildly insane not to.


I think you are saying validate the Request.Form values and if everything is
kosher create and execute the SQL INSERT....
Thats good too. I was using Macromedia pluggins which are not fairly generic.
Thanks all and a great friday night!
G
--
Message posted via http://www.accessmonster.com
Nov 13 '05 #5
On Fri, 23 Sep 2005 21:54:01 GMT, "Gord D via AccessMonster.com" <fo***@AccessMonster.com> wrote:
rkc wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL[quoted text clipped - 6 lines]
Is there a way I prevent this? I',m thinking maybe a store procedure or a
function?


Validate everything on the server side. It's mildly insane not to.


certainly!
I think you are saying validate the Request.Form values and if everything is
kosher create and execute the SQL INSERT....
Thats good too. I was using Macromedia pluggins which are not fairly generic.
Thanks all and a great friday night!
G


If everything validates correctly I suppose you could argue that it doesn't matter
whether the data actually came from your page or from a hacker using a spoof form,
though if your site uses login and is not otherwise secured it probably would.

For an example of where referrer would be useful see
http://www.brainjar.com/asp/formmail/default2.asp
Nov 13 '05 #6
"Gord D via AccessMonster.com" <fo***@AccessMonster.com> wrote in
news:54***********@AccessMonster.com:
I have a small ASP website with an Access2000 database.


No, actually, you don't.

You have a small ASP webisite with a Jet 4 database that you used
Access 2000 to create.

Because of that, your problem is not an Access question.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #7
rkc <rk*@rochester.yabba.dabba.do.rr.bomb> wrote in
news:Df*****************@twister.nyroc.rr.com:
Gord D via AccessMonster.com wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by
typing the URL and
not via web page/form.
I know this as I have some vbscript that prompts that all fields
must be filled in.
These INSERTed records have a miss match of characters including
MIME .. CONTENT etc.
Is there a way I prevent this? I',m thinking maybe a store
procedure or a function?


Validate everything on the server side. It's mildly insane not to.


Also, the db should be in a location that is not accessible via
HTTP, but *is* accessible to the ASP script running on the server.

That's basic web application design -- databases should always be
stored outside the HTTP filespace.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #8
On Fri, 23 Sep 2005 17:45:16 -0500, "David W. Fenton" <dX********@bway.net.invalid> wrote:
"Gord D via AccessMonster.com" <fo***@AccessMonster.com> wrote in
news:54***********@AccessMonster.com:
I have a small ASP website with an Access2000 database.


No, actually, you don't.

You have a small ASP webisite with a Jet 4 database that you used
Access 2000 to create.

Because of that, your problem is not an Access question.


hey, let me make the rude remarks around here!

The error is a common one.
Even off-topic posts often get anwered here more quickly than elsewhere,
the group is far from dying.

Nov 13 '05 #9
polite person wrote:
I have a small ASP website with an Access2000 database.
Seems someone has found it and INSERTS records into a table by typing the URL[quoted text clipped - 3 lines]
Validate everything on the server side. It's mildly insane not to.


certainly!
I think you are saying validate the Request.Form values and if everything is
kosher create and execute the SQL INSERT....
Thats good too. I was using Macromedia pluggins which are not fairly generic.

Thanks all and a great friday night!
G


If everything validates correctly I suppose you could argue that it doesn't matter
whether the data actually came from your page or from a hacker using a spoof form,
though if your site uses login and is not otherwise secured it probably would.

For an example of where referrer would be useful see
http://www.brainjar.com/asp/formmail/default2.asp


This example is great, once again thank you.
--
Message posted via http://www.accessmonster.com
Nov 13 '05 #10
David W. Fenton wrote:
I have a small ASP website with an Access2000 database.


No, actually, you don't.

You have a small ASP webisite with a Jet 4 database that you used
Access 2000 to create.

Because of that, your problem is not an Access question.

Sorry but i'm sure it is an Access database. When I double click the file
Guestbook.mdb the window caption says "Microsoft Access". Is there another
way i can confirm this. Sometimes there is a Help... About feature. Could
you tell me where to find the Help menu?
--
Message posted via http://www.accessmonster.com
Nov 13 '05 #11
"Gord D via AccessMonster.com" <u4943@uwe> wrote in
news:54d9210ac8e87@uwe:
David W. Fenton wrote:
I have a small ASP website with an Access2000 database.


No, actually, you don't.

You have a small ASP webisite with a Jet 4 database that you used
Access 2000 to create.

Because of that, your problem is not an Access question.


Sorry but i'm sure it is an Access database. When I double click
the file Guestbook.mdb the window caption says "Microsoft Access".
Is there another way i can confirm this. Sometimes there is a
Help... About feature. Could you tell me where to find the Help
menu?


No, if it's being used by ASP, ASP is using *none* of the Access
aspects of the file. It only uses Jet objects, tables and queries.
ASP knows nothing of forms or reports, etc., and those are the
Access objects, which are stored in Jet tables.

You can create an MDB without using Access at all, simply by using
DAO commands. The resulting MDB is smaller and leaner because it
lacks all the properties that Access adds to tables and queries.

I don't do anything but Access development, so I've never had any
call to use Jet only, but if I were using an MDB for the data on a
web page, I might consider creating it programmatically with Jet
alone precisely to get the leaner MDB file out of it.

You could still use Access to view the file directly, as it won't
add the properties after the Jet objects are created (though it will
show then, say, in table view, with no value for those properties).

As to what Windows Explorer tells you, that has zilch to do with the
actual content of a file. If you took a Microsoft word file and
changed the extension from DOC to MDB, it, too will be listed as a
Microsoft Access file, even though you know perfectly well that it
is nothing of the sort.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Bob Bedford | last post by:
My database suddently dissapeared from my ISP. I've logged in and the database doesn't exist anymore. I don't know anything about website hacking, so my code is possibly open for hackers. ...
0
by: Christian Schuhegger | last post by:
Hi, I remember that I've seen some time ago (perhaps a year or so) a project on freshmeat where a guy hacked a postgres c-interface library (i guess it was libpq / or perhaps he just used the...
10
by: Doc | last post by:
I keep reading about various websites being hacked into and wonder, how is this done? Not for any nefarious reasons, but to take measures to protect mine. Apparently this has been done to some high...
2
by: codefixer | last post by:
Hello: The phpBB sites are hacked. If you search for "HACKED BY CYBER-ATTACK" on msn.com you will get a list of all the sites hacked. Anyone knows what is the way to clean this up ? Thanks.
17
by: DaveG | last post by:
Hi all I am planning on writing a stock and accounts program for the family business, I understand this is likely to take close to 2 years to accomplish. The stock is likely to run into over a...
4
by: Wong Yung | last post by:
Hi guys, I recently noticed this strange script appearing on my webpage. I know I didn't put it there because I hand-coded it. Someone told me it looks like javascript and it looked like I...
0
by: vikassaxena | last post by:
website was hacked on 24 march , the script the browser is gettting from server was normal but still the the browser shows it's being hacked when after saving the view source i open it on...
12
by: AllYourSpam | last post by:
I work for a small company just over a year old. I have them sold on the idea of a database for tracking their sales and order entry (plus many other duties). We are going to develop our own...
8
by: Mike | last post by:
Hi, If protect MS Access with password it doesn't mean to much. On internet, we can find plenty tools for opening forgotten passwords etc. I have a small c# aplication wit large amount of...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.