Hi all,
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
************************************************** **************************
**********
' Here we retrieve the page id from our querystrng.
'
************************************************** **************************
**********
strCurrentPageID = Request.QueryString("pageid")
'
************************************************** **************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
************************************************** **************************
**********
If strCurrentPageID <> "" Then
'
************************************************** **************************
**********
' If it is not then we set our flag to false.
'
************************************************** **************************
**********
If isNumeric(strCurrentPageID) Then
Response.Write strCurrentPageID
'
************************************************** **************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** **************************
**********
If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then
strPageError = True
End If
'
************************************************** **************************
**********
' If it is then we set our flag to true.
'
************************************************** **************************
**********
Else
strPageError = True
End If
'
************************************************** **************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
************************************************** **************************
**********
ElseIf strCurrentPageID = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageID = RS("PageID")
End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to
validate it...
First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.
This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the querystring
now changes...
example;
default.asp?pageid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade 7 2974
Wrap it up in a function
Function CheckValidNumber(numToCheck, lowerLimit, upperLimit)
'validation checks.....
'if the validations are ok then
CheckValidNumber=true
'else
CheckValidNumber=false
'end if
end Function
So for your default.asp?pageid=51&faqid=3
Dim lngPageID
Dim lngFaqID
lngPageID=Request.Querystring("pageid")
if CheckValidNumber(lngPageID0,2147483647 ) then
lngPageID=Cint(lngPageID)
else
lngPageid=1
end if
'Same for lngFaqID
"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:gR*********************@news-text.cableinet.net... Hi all,
A recent project that I had finished and went live with no apparant problems.
My client received an email from a user who mentioned that by accident
they had been typing (over the querystring I guess), and the url had become
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and
talked of 'SQL Injection', they said that we would need to secure the code as
well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a
couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
************************************************** ************************** ********** ' Here we retrieve the page id from our querystrng. '
************************************************** ************************** **********
strCurrentPageID = Request.QueryString("pageid")
'
************************************************** ************************** ********** ' If we do have a page id in the querystring we check that it is
numeric. '
************************************************** ************************** **********
If strCurrentPageID <> "" Then
'
************************************************** ************************** ********** ' If it is not then we set our flag to false. '
************************************************** ************************** **********
If isNumeric(strCurrentPageID) Then
Response.Write strCurrentPageID
'
************************************************** ************************** ********** ' Here we test to see if our 'int' field type has been exceeded. '
************************************************** ************************** **********
If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then
strPageError = True
End If
'
************************************************** ************************** ********** ' If it is then we set our flag to true. '
************************************************** ************************** **********
Else
strPageError = True
End If
'
************************************************** ************************** ********** ' If we do not have a page id within our querystring then we set our
flag to false, ' and check our pages table to see which page has been set to the
default page. '
************************************************** ************************** **********
ElseIf strCurrentPageID = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'" %> <!--#Include File="_IncludeScripts/ReadOnly.asp"--> <% If Not RS.BOF And Not RS.EOF Then
strCurrentPageID = RS("PageID")
End If %> <!--#Include File="_IncludeScripts/ReadOnlyClose.asp"--> <% End If %> If the user arrives at the site with no pageid - we assume that they are looking at the default page and set the CurrentPageID to the id of the
page flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to validate it...
First I check to see if its numeric, as the id relates to an INT field
type in the SQL database, if it isnt the validation sets a flag to 'false', if the value is numeric then I check to ensure that its within the lower and upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either
a 404 message if the validation flag was false, or the correct page if the validation flag is set to true.
This has been working nicely, and alphatbetically, special characters (include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the
querystring now changes...
example;
default.asp?pageid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but
because previously I was only validating 'pageid' - I now have to duplicate the
code for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem and could suggest an alternative way to do this, ideally looking at all elements in the querystring whatever they are, ie, not having to know the names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade
"TomB" wrote ... Wrap it up in a function
aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;
pageid=15
faqid=10
anothervalue=blahblahblah
The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric, but
I still need to be able to pick up the 'value' of each querystring item
without knowing its name...
This possible?
Cheers for the reply
Robb
"TomB" wrote ... Wrap it up in a function
Just thought of another problem too...
If the function was called the first time and returned as an error, and then
goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/
As soon as the flag is found to be 'faulty' it needs to stop and run off and
say 'wow tiger - somethings gone wrong' etc...
Robb
Have you read the SQL Injection FAQ? www.sqlsecurity.com
Bob Barrows
Robb Meade wrote: Hi all,
A recent project that I had finished and went live with no apparant problems.
My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
************************************************** ************************** ********** ' Here we retrieve the page id from our querystrng. '
************************************************** ************************** **********
strCurrentPageID = Request.QueryString("pageid")
'
************************************************** ************************** ********** ' If we do have a page id in the querystring we check that it is numeric. '
************************************************** ************************** **********
If strCurrentPageID <> "" Then
'
************************************************** ************************** ********** ' If it is not then we set our flag to false. '
************************************************** ************************** **********
If isNumeric(strCurrentPageID) Then
Response.Write strCurrentPageID
'
************************************************** ************************** ********** ' Here we test to see if our 'int' field type has been exceeded. '
************************************************** ************************** **********
If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then
strPageError = True
End If
'
************************************************** ************************** ********** ' If it is then we set our flag to true. '
************************************************** ************************** **********
Else
strPageError = True
End If
'
************************************************** ************************** ********** ' If we do not have a page id within our querystring then we set our flag to false, ' and check our pages table to see which page has been set to the default page. '
************************************************** ************************** **********
ElseIf strCurrentPageID = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'" %> <!--#Include File="_IncludeScripts/ReadOnly.asp"--> <% If Not RS.BOF And Not RS.EOF Then
strCurrentPageID = RS("PageID")
End If %> <!--#Include File="_IncludeScripts/ReadOnlyClose.asp"--> <% End If %> If the user arrives at the site with no pageid - we assume that they are looking at the default page and set the CurrentPageID to the id of the page flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to validate it...
First I check to see if its numeric, as the id relates to an INT field type in the SQL database, if it isnt the validation sets a flag to 'false', if the value is numeric then I check to ensure that its within the lower and upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either a 404 message if the validation flag was false, or the correct page if the validation flag is set to true.
This has been working nicely, and alphatbetically, special characters (include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the querystring now changes...
example;
default.asp?pageid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but because previously I was only validating 'pageid' - I now have to duplicate the code for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem and could suggest an alternative way to do this, ideally looking at all elements in the querystring whatever they are, ie, not having to know the names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very grateful to hear from you here...
Thanks in advance for your time reading my essay :o)
Regards
Robb Meade
> If the function was called the first time and returned as an error,
Call response.end
if CheckIfValidNumber(lngFaqID) = true then
'do whatever
else
Response.Write "wow tiger - somethings wrong"
Response.End
end if
if CheckIfValidNumber(lngPageID) etc.etc.etc.
"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:OB*********************@news-text.cableinet.net... "TomB" wrote ...
Wrap it up in a function Just thought of another problem too...
If the function was called the first time and returned as an error, and
then goes off again for the faqid, but that returned ok - the flag would be overwritten and change to be 'fine' - therefore creating an error on the page :o/
As soon as the flag is found to be 'faulty' it needs to stop and run off
and say 'wow tiger - somethings gone wrong' etc...
Robb
You don't know the names of your querystring items? If you know they will
all be numeric than you can do something like.....
Dim queryField
Dim bAllGood
bAllGood=true
for each queryField in Request.QueryString
if CheckValidNumber(Request.QueryString(queryField)) = false then
bAllGood=false
exit for
end if
next
if bAllGood=true then
'blah blah
else
Response.Write "Error, at least one querystring item is non-numeric"
Response.end
end if
"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:Qe*********************@news-text.cableinet.net... "TomB" wrote ...
Wrap it up in a function aye, thats a good idea, but I still need to be able to break down the querystring per data item, for example;
pageid=15 faqid=10 anothervalue=blahblahblah
The application is still in its infancy, so the last one above here doesnt apply really, all the querystring items at this time are always numeric,
but I still need to be able to pick up the 'value' of each querystring item without knowing its name...
This possible?
Cheers for the reply
Robb
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Martin Lucas-Smith |
last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to
preventing SQL injection? There seems to be little on the web that I can
find on this.
Martin Lucas-Smith ...
|
by: Bã§TãRÐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
|
by: Griff |
last post by:
I have a multi-page ASP web application that uses information sent to it
from the client in the Request.Forms collection, the Request.QueryString
collection and the Request.Cookie collection.
...
|
by: www.douglassdavis.com |
last post by:
I have an idea for preventing sql injection attacks, however it would
have to be implemented by the database vendor. Let me know if I am on
the right track, this totally off base, or already...
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form...
|
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username...
|
by: Lance Wynn |
last post by:
One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The...
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that,...
|
by: Keith G Hicks |
last post by:
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it...
|
by: DolphinDB |
last post by:
Tired of spending countless mintues downsampling your data? Look no further!
In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
|
by: PapaRatzi |
last post by:
Hello,
I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
|
by: Defcon1945 |
last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |