473,386 Members | 1,738 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > validating user input to avoid attacks

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Validating User Input to Avoid Attacks

Hi All,

I am working on a web application that uses both asp classic and asp.net
pages. We need to validate user input to avoid attacks like sql injection.
Can a component be created that both page types can use? Is that the best
approach? Would I simply use pattern matching to validate strings and/or
remove any unwanted characters?

Thanks in advance.
Jul 12 '06 #1
3 2310
A TO Consultant wrote:
Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern matching
to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will avoid
all use of dynamic sql*, using parameters to pass values instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and other
data should.

*I am defining dynamic sql as the act of concatenating user input into
sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #2
Thanks Bob.

When you say to use parameters to pass values instead, do you mean to use
stored procedures and call them with the values as parameters?

"Bob Barrows [MVP]" wrote:
A TO Consultant wrote:
Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern matching
to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will avoid
all use of dynamic sql*, using parameters to pass values instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and other
data should.

*I am defining dynamic sql as the act of concatenating user input into
sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #3
That's my preferred technique, but it's not necessary. Both ADO and
ADO.Net allow the use of parameter markers to facilitate the passing of
parameter values into ad hoc sql strings. Here is a description of the
ADO implementation of this:

http://groups-beta.google.com/group/...e36562fee7804e
A TO Consultant wrote:
Thanks Bob.

When you say to use parameters to pass values instead, do you mean to
use stored procedures and call them with the values as parameters?

"Bob Barrows [MVP]" wrote:
>A TO Consultant wrote:
>>Hi All,

I am working on a web application that uses both asp classic and
asp.net pages. We need to validate user input to avoid attacks like
sql injection. Can a component be created that both page types can
use? Is that the best approach? Would I simply use pattern
matching to validate strings and/or remove any unwanted characters?

Thanks in advance.
For SQL Injection, while validation is important, it is not enough to
prevent it. If you truly wish to prevent SQL Injection, you will
avoid all use of dynamic sql*, using parameters to pass values
instead.

I do not believe that validation can be made as generic as you are
hoping it can be: some data should not contain sql keywords, and
other data should.

*I am defining dynamic sql as the act of concatenating user input
into sql statements which are subsequently executed.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get
a quicker response by posting to the newsgroup.
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Jul 12 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
Validating input...
by: The Plankmeister | last post by:
Hi... What's the best method of validating input characters? I would like to prevent users submitting exotic characters (such as those acquired on Windows Systems by pressing ALT+) and thought...
PHP
3
validating post data origin
by: chotiwallah | last post by:
how can i validate reasonably safe that post data sent by a form is sent by my form and not by anyone elses? any help appreciated, micha
PHP
2
Validating keyboard input
by: bildad | last post by:
The following 'book example' of validating input seems to be incomplete. Since it is a beginner's book it may be intentional for simplicity. But I would like to know how to make this program work...
C / C++
1
Please help: Validating input from a combination of controls
by: Paul | last post by:
Hi, I'm developing a search facility for my web app. In order for the search criteria to be valid the user must (a) enter some text in a text box and check and least one checkbox (of which there...
ASP.NET
2
User Input Validation
by: Buddy Ackerman | last post by:
I have a form into which users will enter text. I want the user to be able to enter "some" HTML however I would like to prevent "bad" HTML. The "bad" HTML would be things like <SCRIPT>, <OBJECT>,...
ASP.NET
5
Validating user HTML input
by: Peter Morris [Air Software Ltd] | last post by:
Hi all I want to allow users to enter HTML, but I want to ensure that A) The HTML entered only contains a subset of html tags (a, img, div, etc) and not certain other elements (html, body,...
ASP.NET
0
custom user session handler + PHPSESSID in cookie
by: joseph conrad | last post by:
Hi, I tried to implement my own session handler in order to keep control on the process the drawback I foun it is not creating and storing in my cookie the PHPSESSID variable anymore. reading te...
PHP
9
Validating user input?
by: chuck | last post by:
I need some help with validating user input. I am writing a C computer program for an intro to C course. Here is the situation. I am creating an application that will do currency conversions. ...
C / C++
5
Validating input
by: Kavya | last post by:
I saw these two ways for validating input First Way -------------- #include <iostream> #include <limits> using namespace std; int main() {
C / C++
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!