469,314 Members | 2,222 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,314 developers. It's quick & easy.

Secure injection defense functions.

101 100+
I'm looking to make a few asp functions to defend against attacks. The function will loop through an array, checking each item against the incoming statement. So, my question is, what are all the things I need to check for in my incoming statement?

Here are my arrays:

Expand|Select|Wrap|Line Numbers
  1. SQLCheck=array("select", "drop", ";", "--", "insert", "delete", "'")
  2.  
  3. HTMLCheck=array("<", ">", "javascript")
Are these all necessary, and are there any I've missed? Thanks for any help or pointers.
Jun 17 '08 #1
2 1395
DrBunchman
979 Expert 512MB
Hi zensunni,

You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

Hope this helps,

Dr B
Jun 18 '08 #2
jhardman
3,406 Expert 2GB
Hi zensunni,

You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

Hope this helps,

Dr B
That covers all the bases I can think of, but there are some alternative techniques you can try:

1- open a recordset - most injections will cause an error if used on a recordset

2- use only stored procedures - most injections are harmless if you don't execute SQL commands. Since stored procedures are not really SQL commands but instructions to execute a list of pre-compiled commands, it is highly unlikely that an injection could get through.

Jared
Jun 25 '08 #3

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

10 posts views Thread by Matthew Sims | last post: by
40 posts views Thread by Robert Seacord | last post: by
3 posts views Thread by Will | last post: by
5 posts views Thread by walterbyrd | last post: by
2 posts views Thread by Sudhakar | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
1 post views Thread by Geralt96 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.