Hi all,
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become
default.asp?pag eid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
*************** *************** *************** *************** *************** *
**********
' Here we retrieve the page id from our querystrng.
'
*************** *************** *************** *************** *************** *
**********
strCurrentPageI D = Request.QuerySt ring("pageid")
'
*************** *************** *************** *************** *************** *
**********
' If we do have a page id in the querystring we check that it is numeric.
'
*************** *************** *************** *************** *************** *
**********
If strCurrentPageI D <> "" Then
'
*************** *************** *************** *************** *************** *
**********
' If it is not then we set our flag to false.
'
*************** *************** *************** *************** *************** *
**********
If isNumeric(strCu rrentPageID) Then
Response.Write strCurrentPageI D
'
*************** *************** *************** *************** *************** *
**********
' Here we test to see if our 'int' field type has been exceeded.
'
*************** *************** *************** *************** *************** *
**********
If strCurrentPageI D > 0 And strCurrentPageI D <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageI D <= 0 Or strCurrentPageI D >= 2147483647 Then
strPageError = True
End If
'
*************** *************** *************** *************** *************** *
**********
' If it is then we set our flag to true.
'
*************** *************** *************** *************** *************** *
**********
Else
strPageError = True
End If
'
*************** *************** *************** *************** *************** *
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
*************** *************** *************** *************** *************** *
**********
ElseIf strCurrentPageI D = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeS cripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageI D = RS("PageID")
End If
%>
<!--#Include File="_IncludeS cripts/ReadOnlyClose.a sp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to
validate it...
First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.
This has been working nicely, and alphatbetically , special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the querystring
now changes...
example;
default.asp?pag eid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade
7  2996 
Wrap it up in a function
Function CheckValidNumbe r(numToCheck, lowerLimit, upperLimit)
'validation checks.....
'if the validations are ok then
CheckValidNumbe r=true
'else
CheckValidNumbe r=false
'end if
end Function
So for your default.asp?pag eid=51&faqid=3
Dim lngPageID
Dim lngFaqID
lngPageID=Reque st.Querystring( "pageid")
if CheckValidNumbe r(lngPageID0,21 47483647 ) then
lngPageID=Cint( lngPageID)
else
lngPageid=1
end if
'Same for lngFaqID
"Robb Meade" <ro********@NOS PAMkingswoodweb .net> wrote in message
news:gR******** *************@n ews-text.cableinet. net... Hi all,
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by accident
they had been typing (over the querystring I guess), and the url had become
default.asp?pag eid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and
talked of 'SQL Injection', they said that we would need to secure the code as
well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a
couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
*************** *************** *************** *************** *************** * **********
' Here we retrieve the page id from our querystrng.
'
*************** *************** *************** *************** *************** * **********
strCurrentPageI D = Request.QuerySt ring("pageid")
'
*************** *************** *************** *************** *************** * **********
' If we do have a page id in the querystring we check that it is
numeric. '
*************** *************** *************** *************** *************** * **********
If strCurrentPageI D <> "" Then
'
*************** *************** *************** *************** *************** * **********
' If it is not then we set our flag to false.
'
*************** *************** *************** *************** *************** * **********
If isNumeric(strCu rrentPageID) Then
Response.Write strCurrentPageI D
'
*************** *************** *************** *************** *************** * **********
' Here we test to see if our 'int' field type has been exceeded.
'
*************** *************** *************** *************** *************** * **********
If strCurrentPageI D > 0 And strCurrentPageI D <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageI D <= 0 Or strCurrentPageI D >= 2147483647 Then
strPageError = True
End If
'
*************** *************** *************** *************** *************** * **********
' If it is then we set our flag to true.
'
*************** *************** *************** *************** *************** * **********
Else
strPageError = True
End If
'
*************** *************** *************** *************** *************** * **********
' If we do not have a page id within our querystring then we set our
flag to false,
' and check our pages table to see which page has been set to the
default page.
'
*************** *************** *************** *************** *************** * **********
ElseIf strCurrentPageI D = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeS cripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageI D = RS("PageID")
End If
%>
<!--#Include File="_IncludeS cripts/ReadOnlyClose.a sp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the
page flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to
validate it...
First I check to see if its numeric, as the id relates to an INT field
type in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either
a 404 message if the validation flag was false, or the correct page if the
validation flag is set to true.
This has been working nicely, and alphatbetically , special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the
querystring now changes...
example;
default.asp?pag eid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but
because previously I was only validating 'pageid' - I now have to duplicate the
code for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade
"TomB" wrote ... Wrap it up in a function
aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;
pageid=15
faqid=10
anothervalue=bl ahblahblah
The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric, but
I still need to be able to pick up the 'value' of each querystring item
without knowing its name...
This possible?
Cheers for the reply
Robb
"TomB" wrote ... Wrap it up in a function
Just thought of another problem too...
If the function was called the first time and returned as an error, and then
goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/
As soon as the flag is found to be 'faulty' it needs to stop and run off and
say 'wow tiger - somethings gone wrong' etc...
Robb
Have you read the SQL Injection FAQ? www.sqlsecurity.com
Bob Barrows
Robb Meade wrote: Hi all,
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by
accident they had been typing (over the querystring I guess), and the
url had become
default.asp?pag eid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and
talked of 'SQL Injection', they said that we would need to secure the
code as well as the permissions on the database(which I believe they
have done)..
This is something I had over looked, and started to write a fix for a
couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
*************** *************** *************** *************** *************** * **********
' Here we retrieve the page id from our querystrng.
'
*************** *************** *************** *************** *************** * **********
strCurrentPageI D = Request.QuerySt ring("pageid")
'
*************** *************** *************** *************** *************** * **********
' If we do have a page id in the querystring we check that it is
numeric. '
*************** *************** *************** *************** *************** * **********
If strCurrentPageI D <> "" Then
'
*************** *************** *************** *************** *************** * **********
' If it is not then we set our flag to false.
'
*************** *************** *************** *************** *************** * **********
If isNumeric(strCu rrentPageID) Then
Response.Write strCurrentPageI D
'
*************** *************** *************** *************** *************** * **********
' Here we test to see if our 'int' field type has been exceeded.
'
*************** *************** *************** *************** *************** * **********
If strCurrentPageI D > 0 And strCurrentPageI D <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageI D <= 0 Or strCurrentPageI D >= 2147483647 Then
strPageError = True
End If
'
*************** *************** *************** *************** *************** * **********
' If it is then we set our flag to true.
'
*************** *************** *************** *************** *************** * **********
Else
strPageError = True
End If
'
*************** *************** *************** *************** *************** * **********
' If we do not have a page id within our querystring then we set
our flag to false,
' and check our pages table to see which page has been set to the
default page.
'
*************** *************** *************** *************** *************** * **********
ElseIf strCurrentPageI D = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeS cripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageI D = RS("PageID")
End If
%>
<!--#Include File="_IncludeS cripts/ReadOnlyClose.a sp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they
are looking at the default page and set the CurrentPageID to the id
of the page flag as being the home page.
If they do arrive here with a pageid in the querystring I then start
to validate it...
First I check to see if its numeric, as the id relates to an INT
field type in the SQL database, if it isnt the validation sets a flag
to 'false', if the value is numeric then I check to ensure that its
within the lower and upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays
either a 404 message if the validation flag was false, or the correct
page if the validation flag is set to true.
This has been working nicely, and alphatbetically , special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the
querystring now changes...
example;
default.asp?pag eid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but
because previously I was only validating 'pageid' - I now have to
duplicate the code for 'faqid' - which I can do - but it feels, and
looks messy...
I was hoping that someone else may have come up against a similar
problem and could suggest an alternative way to do this, ideally
looking at all elements in the querystring whatever they are, ie, not
having to know the names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade
> If the function was called the first time and returned as an error,
Call response.end
if CheckIfValidNum ber(lngFaqID) = true then
'do whatever
else
Response.Write "wow tiger - somethings wrong"
Response.End
end if
if CheckIfValidNum ber(lngPageID) etc.etc.etc.
"Robb Meade" <ro********@NOS PAMkingswoodweb .net> wrote in message
news:OB******** *************@n ews-text.cableinet. net... "TomB" wrote ...
Wrap it up in a function
Just thought of another problem too...
If the function was called the first time and returned as an error, and
then goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/
As soon as the flag is found to be 'faulty' it needs to stop and run off
and say 'wow tiger - somethings gone wrong' etc...
Robb
You don't know the names of your querystring items? If you know they will
all be numeric than you can do something like.....
Dim queryField
Dim bAllGood
bAllGood=true
for each queryField in Request.QuerySt ring
if CheckValidNumbe r(Request.Query String(queryFie ld)) = false then
bAllGood=false
exit for
end if
next
if bAllGood=true then
'blah blah
else
Response.Write "Error, at least one querystring item is non-numeric"
Response.end
end if
"Robb Meade" <ro********@NOS PAMkingswoodweb .net> wrote in message
news:Qe******** *************@n ews-text.cableinet. net... "TomB" wrote ...
Wrap it up in a function
aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;
pageid=15
faqid=10
anothervalue=bl ahblahblah
The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric,
but I still need to be able to pick up the 'value' of each querystring item
without knowing its name...
This possible?
Cheers for the reply
Robb
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Martin Lucas-Smith |
last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk
Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390
|
by: Bă§TăRĐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I
just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to
test the security of the site with Cross-Site...
|
by: Griff |
last post by:
I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of
EVERY page.
This include file iterates through EVERY form, querystring and cookie item
|
by: www.douglassdavis.com |
last post by:
I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already implemented
somewhere...
Lets say you could have a format string such as in printf
$format=" SELECT %s FROM %s WHERE id='%s' ";
$fieldname="last_name";
$tablename="personel";
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form injection attacks? I'm looking for good
routines I can reuse on all of my form processing pages. Thanks.
| | |
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username should only begin either letters or numbers, and
Underscore character
example = user123, 123user, u_ser123, user_123 = completely case
insensitive
|
by: Lance Wynn |
last post by:
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? This is urgent!
Thanks alot
Lance
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that, as crude as it may be, is the below enough to stop these
attacks? If not, how would they get around this?
<%
If Instr(Request.QueryString("http")) 1 or
Instr(Request.QueryString("script")) 1 Then
|
by: Keith G Hicks |
last post by:
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.
Here's an example from the readme.html...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
