473,323 Members | 1,551 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

SQL Injection and preventing querystring abuse

Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..

This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** **************************
**********
' Here we retrieve the page id from our querystrng.
'
************************************************** **************************
**********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** **************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
************************************************** **************************
**********

If strCurrentPageID <> "" Then

'
************************************************** **************************
**********
' If it is not then we set our flag to false.
'
************************************************** **************************
**********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** **************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** **************************
**********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** **************************
**********
' If it is then we set our flag to true.
'
************************************************** **************************
**********

Else

strPageError = True

End If

'
************************************************** **************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
************************************************** **************************
**********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.

If they do arrive here with a pageid in the querystring I then start to
validate it...

First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the querystring
now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...

I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade
Jul 19 '05 #1
7 2974
Wrap it up in a function

Function CheckValidNumber(numToCheck, lowerLimit, upperLimit)
'validation checks.....

'if the validations are ok then
CheckValidNumber=true
'else
CheckValidNumber=false
'end if
end Function

So for your default.asp?pageid=51&faqid=3

Dim lngPageID
Dim lngFaqID
lngPageID=Request.Querystring("pageid")
if CheckValidNumber(lngPageID0,2147483647 ) then
lngPageID=Cint(lngPageID)
else
lngPageid=1
end if

'Same for lngFaqID

"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:gR*********************@news-text.cableinet.net...
Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..

This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** ************************** **********
' Here we retrieve the page id from our querystrng.
'
************************************************** ************************** **********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** ************************** **********
' If we do have a page id in the querystring we check that it is numeric. '
************************************************** ************************** **********

If strCurrentPageID <> "" Then

'
************************************************** ************************** **********
' If it is not then we set our flag to false.
'
************************************************** ************************** **********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** ************************** **********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** ************************** **********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** ************************** **********
' If it is then we set our flag to true.
'
************************************************** ************************** **********

Else

strPageError = True

End If

'
************************************************** ************************** **********
' If we do not have a page id within our querystring then we set our flag to false,
' and check our pages table to see which page has been set to the default page.
'
************************************************** ************************** **********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page flag as being the home page.

If they do arrive here with a pageid in the querystring I then start to
validate it...

First I check to see if its numeric, as the id relates to an INT field type in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays either a 404 message if the validation flag was false, or the correct page if the
validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the querystring now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but because previously I was only validating 'pageid' - I now have to duplicate the code for 'faqid' - which I can do - but it feels, and looks messy...

I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade

Jul 19 '05 #2
"TomB" wrote ...
Wrap it up in a function


aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;

pageid=15
faqid=10
anothervalue=blahblahblah

The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric, but
I still need to be able to pick up the 'value' of each querystring item
without knowing its name...

This possible?

Cheers for the reply

Robb
Jul 19 '05 #3
"TomB" wrote ...
Wrap it up in a function


Just thought of another problem too...

If the function was called the first time and returned as an error, and then
goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/

As soon as the flag is found to be 'faulty' it needs to stop and run off and
say 'wow tiger - somethings gone wrong' etc...

Robb
Jul 19 '05 #4
Have you read the SQL Injection FAQ? www.sqlsecurity.com

Bob Barrows
Robb Meade wrote:
Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by
accident they had been typing (over the querystring I guess), and the
url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and
talked of 'SQL Injection', they said that we would need to secure the
code as well as the permissions on the database(which I believe they
have done)..

This is something I had over looked, and started to write a fix for a
couple of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
************************************************** ************************** **********
' Here we retrieve the page id from our querystrng.
'
************************************************** ************************** **********

strCurrentPageID = Request.QueryString("pageid")

'
************************************************** ************************** **********
' If we do have a page id in the querystring we check that it is
numeric. '
************************************************** ************************** **********

If strCurrentPageID <> "" Then

'
************************************************** ************************** **********
' If it is not then we set our flag to false.
'
************************************************** ************************** **********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
************************************************** ************************** **********
' Here we test to see if our 'int' field type has been exceeded.
'
************************************************** ************************** **********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If
'
************************************************** ************************** **********
' If it is then we set our flag to true.
'
************************************************** ************************** **********

Else

strPageError = True

End If

'
************************************************** ************************** **********
' If we do not have a page id within our querystring then we set
our flag to false,
' and check our pages table to see which page has been set to the
default page.
'
************************************************** ************************** **********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>

If the user arrives at the site with no pageid - we assume that they
are looking at the default page and set the CurrentPageID to the id
of the page flag as being the home page.

If they do arrive here with a pageid in the querystring I then start
to validate it...

First I check to see if its numeric, as the id relates to an INT
field type in the SQL database, if it isnt the validation sets a flag
to 'false', if the value is numeric then I check to ensure that its
within the lower and upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays
either a 404 message if the validation flag was false, or the correct
page if the validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the
querystring now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but
because previously I was only validating 'pageid' - I now have to
duplicate the code for 'faqid' - which I can do - but it feels, and
looks messy...

I was hoping that someone else may have come up against a similar
problem and could suggest an alternative way to do this, ideally
looking at all elements in the querystring whatever they are, ie, not
having to know the names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :o)

Regards

Robb Meade

Jul 19 '05 #5
> If the function was called the first time and returned as an error,

Call response.end
Jul 19 '05 #6
if CheckIfValidNumber(lngFaqID) = true then
'do whatever
else
Response.Write "wow tiger - somethings wrong"
Response.End
end if

if CheckIfValidNumber(lngPageID) etc.etc.etc.

"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:OB*********************@news-text.cableinet.net...
"TomB" wrote ...
Wrap it up in a function
Just thought of another problem too...

If the function was called the first time and returned as an error, and

then goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :o/

As soon as the flag is found to be 'faulty' it needs to stop and run off and say 'wow tiger - somethings gone wrong' etc...

Robb

Jul 19 '05 #7
You don't know the names of your querystring items? If you know they will
all be numeric than you can do something like.....

Dim queryField
Dim bAllGood
bAllGood=true

for each queryField in Request.QueryString
if CheckValidNumber(Request.QueryString(queryField)) = false then
bAllGood=false
exit for
end if
next
if bAllGood=true then
'blah blah
else
Response.Write "Error, at least one querystring item is non-numeric"
Response.end
end if
"Robb Meade" <ro********@NOSPAMkingswoodweb.net> wrote in message
news:Qe*********************@news-text.cableinet.net...
"TomB" wrote ...
Wrap it up in a function
aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;

pageid=15
faqid=10
anothervalue=blahblahblah

The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric,

but I still need to be able to pick up the 'value' of each querystring item
without knowing its name...

This possible?

Cheers for the reply

Robb

Jul 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Martin Lucas-Smith | last post by:
Can anyone provide any suggestions/URLs for best-practice approaches to preventing SQL injection? There seems to be little on the web that I can find on this. Martin Lucas-Smith ...
11
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
4
by: Griff | last post by:
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection. ...
5
by: www.douglassdavis.com | last post by:
I have an idea for preventing sql injection attacks, however it would have to be implemented by the database vendor. Let me know if I am on the right track, this totally off base, or already...
10
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form...
2
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
18
by: Lance Wynn | last post by:
One of my server has been compromised from this virus, and I can't seem to block it out! I have shut down the infected server, but I need to figure out how to check for this, and stop it. The...
12
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that,...
2
by: Keith G Hicks | last post by:
I have a site that is made up of sevearl aspx pages. It was recently attacked by sql injection. I downloaded the tool described here: http://support.microsoft.com/kb/954476 but can't seem to run it...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.