I recently found a vulnerability on my website that allowed sql
injection. I have been trying to write some code that would clean user
data but have been running into problems. The validation still works,
however so does the injection methods I have used....
These are the examples of code I have tried to use to fix the problem.
1. FrmUserName=rep lace (FrmUserName, " ' ", "")
2. function stripQuotes(Frm UserName)
stripQuotes = replace(FrmUser Name, "'", "''")
end function
3. Function InputFilter(use rInput)
Dim newString, regEx
Set regEx = New RegExp
regEx.Pattern = " ' "
regEx.IgnoreCas e = True
regEx.Global = True
newString = regEx.Replace(u serInput, "")
Set regEx = nothing
InputFilter = newString
End Function
here is the validation I am currently using...
+++++++++++++++ +++++++++++++++ +++++++++++++++ +
DIM oDBConn, oDBRS, oDBCommand
DIM oDBString, oDBSQL
DIM frmUserName,frm Password
Set oDBConn = Server.CreateOb ject("ADODB.Con nection")
Set oDBRS = Server.CreateOb ject("ADODB.Rec ordset")
Set oSYSDB = Server.CreateOb ject("ADODB.REc ordset")
Set oDBCommand = Server.CreateOb ject("ADODB.Com mand")
' On Error Resume Next
oDBString = Application("Da tabase1_Connect ionString")
oDBConn.Open oDBString
If Session("valida ted") = 0 OR IsNull(Session( "validated"))=T rue Then
frmUserName = Request.Form("U serName")
frmPassword = Request.Form("P assword")
oDBSQL = "SELECT * FROM WEBUSERS WHERE UPPER(USERNAME) ='"&
UCase(frmUserNa me) &"' AND PWD='"& frmPassword &"'"
oDBRS.Open oDBSQL,oDBConn, adOpenDynamic
If oDBRS.EOF = False Then
If oDBRS("STATUS") = 1 Then
Session("UserCl ass") = oDBRS("CLASS")
Session("UserID ") = oDBRS("SYSID")
Session("UserNa me") = oDBRS("FIRSTNAM E")&" "& oDBRS("LASTNAME ")
Session("Valida ted") = 1
Session("Market er") = oDBRS("MARKETER ")
If IsNull(oDBRS("T ELEPHONE1"))=Tr ue or
IsNull(oDBRS("M ARKETER"))=True Then
Session("Update Profile") = 1
Else
Session("Update Profile") = 2
End If
Else
AccessDenied
End If
Else
displaybadlogin
End If
End If
+++++++++++++++ +++++++++++++++ +++++++++++++++ ++++++++++++
any suggestions would be greatly appreciated.
Thanks Very Much
Joe Sin 4 2317
If you get this fixed not, it will eventually become an issue again at some
point.
You really need to think about using parameters in your SQL statements
instead of creating a SQL string based on user input. That way, the ADO API
will insulate you from that kind of attack. It also keeps you from having to
do strange stuff like turning date values into strings, etc
Check out: http://www.itjungle.com/mpo/mpo052203-story02.html
Look at the section titled "How to Execute a Parameterized Statement "
"joesin" wrote:
I recently found a vulnerability on my website that allowed sql
injection. I have been trying to write some code that would clean user
data but have been running into problems. The validation still works,
however so does the injection methods I have used....
These are the examples of code I have tried to use to fix the problem.
1. FrmUserName=rep lace (FrmUserName, " ' ", "")
2. function stripQuotes(Frm UserName)
stripQuotes = replace(FrmUser Name, "'", "''")
end function
3. Function InputFilter(use rInput)
Dim newString, regEx
Set regEx = New RegExp
regEx.Pattern = " ' "
regEx.IgnoreCas e = True
regEx.Global = True
newString = regEx.Replace(u serInput, "")
Set regEx = nothing
InputFilter = newString
End Function
here is the validation I am currently using...
+++++++++++++++ +++++++++++++++ +++++++++++++++ +
DIM oDBConn, oDBRS, oDBCommand
DIM oDBString, oDBSQL
DIM frmUserName,frm Password
Set oDBConn = Server.CreateOb ject("ADODB.Con nection")
Set oDBRS = Server.CreateOb ject("ADODB.Rec ordset")
Set oSYSDB = Server.CreateOb ject("ADODB.REc ordset")
Set oDBCommand = Server.CreateOb ject("ADODB.Com mand")
' On Error Resume Next
oDBString = Application("Da tabase1_Connect ionString")
oDBConn.Open oDBString
If Session("valida ted") = 0 OR IsNull(Session( "validated"))=T rue Then
frmUserName = Request.Form("U serName")
frmPassword = Request.Form("P assword")
oDBSQL = "SELECT * FROM WEBUSERS WHERE UPPER(USERNAME) ='"&
UCase(frmUserNa me) &"' AND PWD='"& frmPassword &"'"
oDBRS.Open oDBSQL,oDBConn, adOpenDynamic
If oDBRS.EOF = False Then
If oDBRS("STATUS") = 1 Then
Session("UserCl ass") = oDBRS("CLASS")
Session("UserID ") = oDBRS("SYSID")
Session("UserNa me") = oDBRS("FIRSTNAM E")&" "& oDBRS("LASTNAME ")
Session("Valida ted") = 1
Session("Market er") = oDBRS("MARKETER ")
If IsNull(oDBRS("T ELEPHONE1"))=Tr ue or
IsNull(oDBRS("M ARKETER"))=True Then
Session("Update Profile") = 1
Else
Session("Update Profile") = 2
End If
Else
AccessDenied
End If
Else
displaybadlogin
End If
End If
+++++++++++++++ +++++++++++++++ +++++++++++++++ ++++++++++++
any suggestions would be greatly appreciated.
Thanks Very Much
Joe Sin
Thanks very much David...
That article will help with the rebuild I plan on doing for the page(i
am still torn between that and stored procedures), however, I need to
plug the hole in the mean time. I still cant get special characters
removed. My attempts (the examples) do not hinder the page pulling the
names from the database, but they do not stop entry by other means.
any ideas?
David Jessee wrote:
If you get this fixed not, it will eventually become an issue again at some
point.
You really need to think about using parameters in your SQL statements
instead of creating a SQL string based on user input. That way, the ADO API
will insulate you from that kind of attack. It also keeps you from having to
do strange stuff like turning date values into strings, etc
Check out: http://www.itjungle.com/mpo/mpo052203-story02.html
Look at the section titled "How to Execute a Parameterized Statement "
"joesin" wrote:
I recently found a vulnerability on my website that allowed sql
injection. I have been trying to write some code that would clean user
data but have been running into problems. The validation still works,
however so does the injection methods I have used....
These are the examples of code I have tried to use to fix the problem.
1. FrmUserName=rep lace (FrmUserName, " ' ", "")
2. function stripQuotes(Frm UserName)
stripQuotes = replace(FrmUser Name, "'", "''")
end function
3. Function InputFilter(use rInput)
Dim newString, regEx
Set regEx = New RegExp
regEx.Pattern = " ' "
regEx.IgnoreCas e = True
regEx.Global = True
newString = regEx.Replace(u serInput, "")
Set regEx = nothing
InputFilter = newString
End Function
here is the validation I am currently using...
+++++++++++++++ +++++++++++++++ +++++++++++++++ +
DIM oDBConn, oDBRS, oDBCommand
DIM oDBString, oDBSQL
DIM frmUserName,frm Password
Set oDBConn = Server.CreateOb ject("ADODB.Con nection")
Set oDBRS = Server.CreateOb ject("ADODB.Rec ordset")
Set oSYSDB = Server.CreateOb ject("ADODB.REc ordset")
Set oDBCommand = Server.CreateOb ject("ADODB.Com mand")
' On Error Resume Next
oDBString = Application("Da tabase1_Connect ionString")
oDBConn.Open oDBString
If Session("valida ted") = 0 OR IsNull(Session( "validated"))=T rue Then
frmUserName = Request.Form("U serName")
frmPassword = Request.Form("P assword")
oDBSQL = "SELECT * FROM WEBUSERS WHERE UPPER(USERNAME) ='"&
UCase(frmUserNa me) &"' AND PWD='"& frmPassword &"'"
oDBRS.Open oDBSQL,oDBConn, adOpenDynamic
If oDBRS.EOF = False Then
If oDBRS("STATUS") = 1 Then
Session("UserCl ass") = oDBRS("CLASS")
Session("UserID ") = oDBRS("SYSID")
Session("UserNa me") = oDBRS("FIRSTNAM E")&" "& oDBRS("LASTNAME ")
Session("Valida ted") = 1
Session("Market er") = oDBRS("MARKETER ")
If IsNull(oDBRS("T ELEPHONE1"))=Tr ue or
IsNull(oDBRS("M ARKETER"))=True Then
Session("Update Profile") = 1
Else
Session("Update Profile") = 2
End If
Else
AccessDenied
End If
Else
displaybadlogin
End If
End If
+++++++++++++++ +++++++++++++++ +++++++++++++++ ++++++++++++
any suggestions would be greatly appreciated.
Thanks Very Much
Joe Sin
Thanks very much David...
That article will help with the rebuild I plan on doing for the page(i
am still torn between that and stored procedures), however, I need to
plug the hole in the mean time. I still cant get special characters
removed. My attempts (the examples) do not hinder the page pulling the
names from the database, but they do not stop entry by other means.
any ideas?
David Jessee wrote:
If you get this fixed not, it will eventually become an issue again at some
point.
You really need to think about using parameters in your SQL statements
instead of creating a SQL string based on user input. That way, the ADO API
will insulate you from that kind of attack. It also keeps you from having to
do strange stuff like turning date values into strings, etc
Check out: http://www.itjungle.com/mpo/mpo052203-story02.html
Look at the section titled "How to Execute a Parameterized Statement "
"joesin" wrote:
I recently found a vulnerability on my website that allowed sql
injection. I have been trying to write some code that would clean user
data but have been running into problems. The validation still works,
however so does the injection methods I have used....
These are the examples of code I have tried to use to fix the problem.
1. FrmUserName=rep lace (FrmUserName, " ' ", "")
2. function stripQuotes(Frm UserName)
stripQuotes = replace(FrmUser Name, "'", "''")
end function
3. Function InputFilter(use rInput)
Dim newString, regEx
Set regEx = New RegExp
regEx.Pattern = " ' "
regEx.IgnoreCas e = True
regEx.Global = True
newString = regEx.Replace(u serInput, "")
Set regEx = nothing
InputFilter = newString
End Function
here is the validation I am currently using...
+++++++++++++++ +++++++++++++++ +++++++++++++++ +
DIM oDBConn, oDBRS, oDBCommand
DIM oDBString, oDBSQL
DIM frmUserName,frm Password
Set oDBConn = Server.CreateOb ject("ADODB.Con nection")
Set oDBRS = Server.CreateOb ject("ADODB.Rec ordset")
Set oSYSDB = Server.CreateOb ject("ADODB.REc ordset")
Set oDBCommand = Server.CreateOb ject("ADODB.Com mand")
' On Error Resume Next
oDBString = Application("Da tabase1_Connect ionString")
oDBConn.Open oDBString
If Session("valida ted") = 0 OR IsNull(Session( "validated"))=T rue Then
frmUserName = Request.Form("U serName")
frmPassword = Request.Form("P assword")
oDBSQL = "SELECT * FROM WEBUSERS WHERE UPPER(USERNAME) ='"&
UCase(frmUserNa me) &"' AND PWD='"& frmPassword &"'"
oDBRS.Open oDBSQL,oDBConn, adOpenDynamic
If oDBRS.EOF = False Then
If oDBRS("STATUS") = 1 Then
Session("UserCl ass") = oDBRS("CLASS")
Session("UserID ") = oDBRS("SYSID")
Session("UserNa me") = oDBRS("FIRSTNAM E")&" "& oDBRS("LASTNAME ")
Session("Valida ted") = 1
Session("Market er") = oDBRS("MARKETER ")
If IsNull(oDBRS("T ELEPHONE1"))=Tr ue or
IsNull(oDBRS("M ARKETER"))=True Then
Session("Update Profile") = 1
Else
Session("Update Profile") = 2
End If
Else
AccessDenied
End If
Else
displaybadlogin
End If
End If
+++++++++++++++ +++++++++++++++ +++++++++++++++ ++++++++++++
any suggestions would be greatly appreciated.
Thanks Very Much
Joe Sin
Are you still referring to Sql Injection?
If so, then using parameters totally prees you from having to check your
user's input. If you have:
Select * From Users WHERE UserName=? and Password=?
and, the user enters:
UserName: John
Password: Smith';Drop Table Users;
the the parameter's underlying implementation will automatically "clean" the
input, so to speak, and the net result will be zero records because there is
not a record with the Paddword of "Smith';Dro p Table Users;"
Ultimately, the only way to prevent SQL Injection is to deal only with
stored procedures and only give the account that's accessing the database
permissions to work with those procedures. However, using Parameters instead
of SQL strings that you build based on user input will add enough protection
to your code that you won't have to worry about injection at the UI level any
more.
"joesin" wrote:
Thanks very much David...
That article will help with the rebuild I plan on doing for the page(i
am still torn between that and stored procedures), however, I need to
plug the hole in the mean time. I still cant get special characters
removed. My attempts (the examples) do not hinder the page pulling the
names from the database, but they do not stop entry by other means.
any ideas?
David Jessee wrote:
If you get this fixed not, it will eventually become an issue again at some
point.
You really need to think about using parameters in your SQL statements
instead of creating a SQL string based on user input. That way, the ADO API
will insulate you from that kind of attack. It also keeps you from having to
do strange stuff like turning date values into strings, etc
Check out: http://www.itjungle.com/mpo/mpo052203-story02.html
Look at the section titled "How to Execute a Parameterized Statement "
"joesin" wrote:
I recently found a vulnerability on my website that allowed sql
injection. I have been trying to write some code that would clean user
data but have been running into problems. The validation still works,
however so does the injection methods I have used....
These are the examples of code I have tried to use to fix the problem.
>
1. FrmUserName=rep lace (FrmUserName, " ' ", "")
>
2. function stripQuotes(Frm UserName)
stripQuotes = replace(FrmUser Name, "'", "''")
end function
>
3. Function InputFilter(use rInput)
Dim newString, regEx
Set regEx = New RegExp
regEx.Pattern = " ' "
regEx.IgnoreCas e = True
regEx.Global = True
newString = regEx.Replace(u serInput, "")
Set regEx = nothing
InputFilter = newString
End Function
>
here is the validation I am currently using...
+++++++++++++++ +++++++++++++++ +++++++++++++++ +
>
DIM oDBConn, oDBRS, oDBCommand
DIM oDBString, oDBSQL
DIM frmUserName,frm Password
>
Set oDBConn = Server.CreateOb ject("ADODB.Con nection")
Set oDBRS = Server.CreateOb ject("ADODB.Rec ordset")
Set oSYSDB = Server.CreateOb ject("ADODB.REc ordset")
Set oDBCommand = Server.CreateOb ject("ADODB.Com mand")
>
' On Error Resume Next
>
oDBString = Application("Da tabase1_Connect ionString")
oDBConn.Open oDBString
>
If Session("valida ted") = 0 OR IsNull(Session( "validated"))=T rue Then
>
frmUserName = Request.Form("U serName")
frmPassword = Request.Form("P assword")
>
oDBSQL = "SELECT * FROM WEBUSERS WHERE UPPER(USERNAME) ='"&
UCase(frmUserNa me) &"' AND PWD='"& frmPassword &"'"
>
>
oDBRS.Open oDBSQL,oDBConn, adOpenDynamic
>
If oDBRS.EOF = False Then
If oDBRS("STATUS") = 1 Then
Session("UserCl ass") = oDBRS("CLASS")
Session("UserID ") = oDBRS("SYSID")
Session("UserNa me") = oDBRS("FIRSTNAM E")&" "& oDBRS("LASTNAME ")
Session("Valida ted") = 1
Session("Market er") = oDBRS("MARKETER ")
If IsNull(oDBRS("T ELEPHONE1"))=Tr ue or
IsNull(oDBRS("M ARKETER"))=True Then
>
Session("Update Profile") = 1
Else
Session("Update Profile") = 2
End If
Else
AccessDenied
End If
>
Else
displaybadlogin
End If
End If
>
>
+++++++++++++++ +++++++++++++++ +++++++++++++++ ++++++++++++
>
any suggestions would be greatly appreciated.
Thanks Very Much
Joe Sin
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Ellen K. |
last post by:
What tools has everyone used for cleaning name and address data
(including identifying not-immediately-obvious duplicates) in
connection with a CRM project or the Customer dimension of a data
warehouse? What did you like/dislike about the tool you used? How
customizable was the tool you used?
|
by: Jaans |
last post by:
I have a problem that relates to running "cleanup" code when an application
is forcibly ended using the "End Process" of "Task Manager" (Please note that
this is very different from "End Task" since end task sends a message to the
application, requesting it to close)
My real problem is that our application makes entries into a database when
the application starts, and then corresponding entries when the application
closes ("cleanup")....
|
by: Peter O'Reilly |
last post by:
I have an HTML form with a textarea input box. When the user conducts a
post request (e.g. clicks the submit button), an HTML preview page is
presented to them with the information they have filled out in the prior
page's form elements.
Naturally some users like to copy and paste text into the textarea box and
presumably do so from say a word processor program. Some Macintosh based
users I know of experience problems with foreign...
|
by: Pierre Saint-Jacques |
last post by:
DB2 V8.2 has a new envir. var.
DB2_USE_ALTERNATE_PAGE_CLEANING=YES
The docs. mention that this will make DB2 ignore chngpgs_thresh and use
softmax to even the rate of writing out of the bp's.
What agent process then takes over.
On a workload of 10000 trans./min., I get over 9000 bp's writes out of
my snapshot. However, LSAN Gap Cleaners, Thereshold Cleansers and
Victim Page Cleaners are all = 0
|
by: Sky Sigal |
last post by:
I have created an IHttpHandler that waits for uploads as attachments for a
webmail interface, and saves it to a directory that is defined in
config.xml.
My question is the following:
assuming that this is suppossed to end up as a component for others to use,
and therefore I do NOT have access to their global.cs::Session_End()
how do I cleanup files that were uploaded -- but obviously left stranded
when the users aborted/gave up writting...
| |
by: turnitup |
last post by:
Dear all,
I have a problem with a form, and I have tried various permutations of
htmlentities() and html_entity_decode() to resolve, but without success.
Here is the workflow.
1: User pastes MS Word formatted text into form field.
2: Server uses mail() to send input text to mail client.
3: Recipient pastes text into html file.
|
by: zorro |
last post by:
greetings...
I'm wondering what more advanced coders would think ot this:
$_POST = clean($_POST);
and now I can use POST directly:
$sql= "select * from T1 where myvar='$_POST' " ;
|
by: Steve B. |
last post by:
Hi,
I'm building a web site that can render html from various user input.
The problem is that the html cannot be trusted, so I need to ensure it does
not contain script attack injection.
That's why I'd like to provide a set of allowed tag and to remove other
ones.
I think about regular expression. However, I was able to find some regex
samples that remove a set a untrusted tags (scripts, iframe, etc), but I'd
|
by: Now You Know |
last post by:
Carpet Cleaners Los Angeles Home Carpet Rug Upholstery Cleaning
Phone 1 310 925 1720 OR 1-818-386-1022
Local Call California Wide
We offer carpet cleaning services such as; Steam Cleaning, Dry
Cleaning, Fabric Lounge Suite Cleaning, Leather Lounge Suite Cleaning,
Tile & Grout Cleaning, Mattress Cleaning, Wet Carpet / Water Damage
Restoration for: offices, homes, restaurants, clubs and hotels
http://carpetcleanersorangecounty.blogspot.com/...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |