By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,433 Members | 776 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,433 IT Pros & Developers. It's quick & easy.

SQL Injection and preventing querystring abuse

P: n/a
Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..

This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** **************************
**********
' Here we retrieve the page id from our querystrng.
'
************************************************** **************************
**********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** **************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
************************************************** **************************
**********

If strCurrentPageID <> "" Then

'
************************************************** **************************
**********
' If it is not then we set our flag to false.
'
************************************************** **************************
**********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** **************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** **************************
**********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** **************************
**********
' If it is then we set our flag to true.
'
************************************************** **************************
**********

Else

strPageError = True

End If

'
************************************************** **************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
************************************************** **************************
**********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.

If they do arrive here with a pageid in the querystring I then start to
validate it...

First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the querystring
now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...

I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade
Jul 19 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Wrap it up in a function

Function CheckValidNumber(numToCheck, lowerLimit, upperLimit)
'validation checks.....

'if the validations are ok then
CheckValidNumber=true
'else
CheckValidNumber=false
'end if
end Function

So for your default.asp?pageid=51&faqid=3

Dim lngPageID
Dim lngFaqID
lngPageID=Request.Querystring("pageid")
if CheckValidNumber(lngPageID0,2147483647 ) then
lngPageID=Cint(lngPageID)
else
lngPageid=1
end if

'Same for lngFaqID

"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:gR*********************@news-text.cableinet.net...
Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..

This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** ************************** **********
' Here we retrieve the page id from our querystrng.
'
************************************************** ************************** **********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** ************************** **********
' If we do have a page id in the querystring we check that it is numeric. '
************************************************** ************************** **********

If strCurrentPageID <> "" Then

'
************************************************** ************************** **********
' If it is not then we set our flag to false.
'
************************************************** ************************** **********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** ************************** **********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** ************************** **********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** ************************** **********
' If it is then we set our flag to true.
'
************************************************** ************************** **********

Else

strPageError = True

End If

'
************************************************** ************************** **********
' If we do not have a page id within our querystring then we set our flag to false,
' and check our pages table to see which page has been set to the default page.
'
************************************************** ************************** **********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page flag as being the home page.

If they do arrive here with a pageid in the querystring I then start to
validate it...

First I check to see if its numeric, as the id relates to an INT field type in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays either a 404 message if the validation flag was false, or the correct page if the
validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the querystring now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but because previously I was only validating 'pageid' - I now have to duplicate the code for 'faqid' - which I can do - but it feels, and looks messy...

I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade

Jul 19 '05 #2

P: n/a
"TomB" wrote ...
Wrap it up in a function


aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;

pageid=15
faqid=10
anothervalue=blahblahblah

The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric, but
I still need to be able to pick up the 'value' of each querystring item
without knowing its name...

This possible?

Cheers for the reply

Robb
Jul 19 '05 #3

P: n/a
"TomB" wrote ...
Wrap it up in a function


Just thought of another problem too...

If the function was called the first time and returned as an error, and then
goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/

As soon as the flag is found to be 'faulty' it needs to stop and run off and
say 'wow tiger - somethings gone wrong' etc...

Robb
Jul 19 '05 #4

P: n/a
Have you read the SQL Injection FAQ? www.sqlsecurity.com

Bob Barrows
Robb Meade wrote:
Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by
accident they had been typing (over the querystring I guess), and the
url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and
talked of 'SQL Injection', they said that we would need to secure the
code as well as the permissions on the database(which I believe they
have done)..

This is something I had over looked, and started to write a fix for a
couple of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** ************************** **********
' Here we retrieve the page id from our querystrng.
'
************************************************** ************************** **********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** ************************** **********
' If we do have a page id in the querystring we check that it is
numeric. '
************************************************** ************************** **********

If strCurrentPageID <> "" Then

'
************************************************** ************************** **********
' If it is not then we set our flag to false.
'
************************************************** ************************** **********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** ************************** **********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** ************************** **********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** ************************** **********
' If it is then we set our flag to true.
'
************************************************** ************************** **********

Else

strPageError = True

End If

'
************************************************** ************************** **********
' If we do not have a page id within our querystring then we set
our flag to false,
' and check our pages table to see which page has been set to the
default page.
'
************************************************** ************************** **********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they
are looking at the default page and set the CurrentPageID to the id
of the page flag as being the home page.

If they do arrive here with a pageid in the querystring I then start
to validate it...

First I check to see if its numeric, as the id relates to an INT
field type in the SQL database, if it isnt the validation sets a flag
to 'false', if the value is numeric then I check to ensure that its
within the lower and upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays
either a 404 message if the validation flag was false, or the correct
page if the validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the
querystring now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but
because previously I was only validating 'pageid' - I now have to
duplicate the code for 'faqid' - which I can do - but it feels, and
looks messy...

I was hoping that someone else may have come up against a similar
problem and could suggest an alternative way to do this, ideally
looking at all elements in the querystring whatever they are, ie, not
having to know the names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade

Jul 19 '05 #5

P: n/a
> If the function was called the first time and returned as an error,

Call response.end
Jul 19 '05 #6

P: n/a
if CheckIfValidNumber(lngFaqID) = true then
'do whatever
else
Response.Write "wow tiger - somethings wrong"
Response.End
end if

if CheckIfValidNumber(lngPageID) etc.etc.etc.

"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:OB*********************@news-text.cableinet.net...
"TomB" wrote ...
Wrap it up in a function
Just thought of another problem too...

If the function was called the first time and returned as an error, and

then goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/

As soon as the flag is found to be 'faulty' it needs to stop and run off and say 'wow tiger - somethings gone wrong' etc...

Robb

Jul 19 '05 #7

P: n/a
You don't know the names of your querystring items? If you know they will
all be numeric than you can do something like.....

Dim queryField
Dim bAllGood
bAllGood=true

for each queryField in Request.QueryString
if CheckValidNumber(Request.QueryString(queryField)) = false then
bAllGood=false
exit for
end if
next
if bAllGood=true then
'blah blah
else
Response.Write "Error, at least one querystring item is non-numeric"
Response.end
end if
"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:Qe*********************@news-text.cableinet.net...
"TomB" wrote ...
Wrap it up in a function
aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;

pageid=15
faqid=10
anothervalue=blahblahblah

The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric,

but I still need to be able to pick up the 'value' of each querystring item
without knowing its name...

This possible?

Cheers for the reply

Robb

Jul 19 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.