472,353 Members | 1,401 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,353 software developers and data experts.

Injection Attack

What is the best way to protect a site against it? Does anyone have a RegEx
to help validate user input?

TIA!
Nov 19 '05 #1
5 2237
Usually people use parameterized queries to avoid injection attacks.

If you are taking people's queries and running them directly, you are going
to have a hell of a time finding a regular expression to validate a sql
statement - it is way too complicated. I think you need a parser for that.

"TCORDON" <tc******@hotmail.com> wrote in message
news:Og**************@TK2MSFTNGP10.phx.gbl...
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?

TIA!

Nov 19 '05 #2
If you are connected to SQL Server, create stored procedures. That is the
EASIEST way to protect, as all input will be parsed as text, not as SQL.

Other suggestions:
1. Reduce the amount of text allowed to the max size of the parameter. You
have to do this both in the control and on the server side. This does not
eliminate injection, but it makes it much harder. Consider:

Password; {box here only allows 8 characters - max PWD size}

User enters: ' OR 1=1 --

On a longer field, one could still inject, but this string sent would
obviously not be from your form, so you would automatically reject it.

2. Check for single quotes in a string. They should not be allowed in most
form elements where injection is possible. If you turn a single quote into
two single quotes (necessary for input anyway), before you build the string,
you will reduce your exposure, as well.

string input = txtInput.Text.Replace("'","''");

NOTE: NEVER return the input to the user without HTML encoding. While not
SQL injection, some hacks insert JavaScript into a form to get information.
This can only be done when you return user input without encoding. Do not do
it.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*************************************************
Think outside the box!
*************************************************
"TCORDON" <tc******@hotmail.com> wrote in message
news:Og**************@TK2MSFTNGP10.phx.gbl...
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?

TIA!

Nov 19 '05 #3
There are lots of injection attacks. If you're talking about SQL, then use
parameterized SQL as others have suggsted. If you're talking about cross
site scripting then all data that a user has passed to you that you are going
to render should be HtmlEncode'd. There's also a ViewState injection attack
and you can mitigate against this via enabling the EnableViewStateMac option
in web.config (the default is false). Here are the docs for that:

http://msdn.microsoft.com/library/de...asp?frame=true

-Brock
DevelopMentor
http://staff.develop.com/ballen
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?

TIA!


Nov 19 '05 #4
One regular expression will not combat the wide variety of attacks. There
are several phases to protecting your site:
1. using validation to block some of the attacks and to log them. Fields
that have very strongly patterned data - dates, numbers, phone numbers - all
can be blocked with normal validators like CompareValidator
(Operator=DataTypeCheck) and RegularExpressionValidator (for the phone
number example). Free-form text fields are much harder to validate because
SQL was built upon the English language. So you might block "Drop me off"
because you are looking for the DROP Table command. Certainly, you don't
want to block free-form text that has a single quote because it's so often
used.
ALWAYS use server side validation to detect attacks because the hacker will
turn off javascript to work around any client-side scripts.
2. Neutralize all inputs. Assume the text gets passed your validators. For
SQL Injection, the recommendation is to make sure no SQL statements are
built on your page. Instead, use stored procedures and pass all parameters
using the SQLParameter objects of ADO.NET. Internally ADO.NET prepares all
inputs so they cannot cause an attack. (Effectively, single quotes are
treated as text instead of string delimiters.)
For Cross-site scripting attacks, use HtmlEncode before writing any text
from the user to the web form.
3. Don't allow the user to see exception error messages. Exceptions reveal
juicy information about your site's structure that hackers use to further
attack you. Log all exceptions and give the user a friendly page telling
them that there was an error.

FYI: I am the author of VAM: Visual Input Security
(http://www.peterblum.com/vise/home.aspx), the only full system for blocking
and neutralizing SQL Injection and Cross-site scripting attacks on ASP.NET
web sites. It includes validators that can handle free-form text,
neutralization tools, logging and an auditing feature to confirm all inputs
on your page have defenses.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"TCORDON" <tc******@hotmail.com> wrote in message
news:Og**************@TK2MSFTNGP10.phx.gbl...
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?

TIA!

Nov 19 '05 #5
You should use ADO.NET parameter objects. They will protect you from SQL
Injection Attacks.

Here's more info:
http://msdn.microsoft.com/library/de...classtopic.asp

http://msdn.microsoft.com/library/de...isualbasic.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net
"TCORDON" <tc******@hotmail.com> wrote in message
news:Og**************@TK2MSFTNGP10.phx.gbl...
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?

TIA!

Nov 19 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: BTR | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just...
4
by: poppy | last post by:
I think a site I developed has been the victim of a sql injection attack.I know how to stop this happening in future but: Is there any way I can...
10
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input...
4
by: ss | last post by:
hi, can anybody gives me a sample code where the sql injection attack is validated. how can i do that in business logic layer and pass the...
1
by: Doug | last post by:
Hi, I have a question on sql injection attacks. I am building a tool that will be used exclusively by our other developers and will generate...
29
by: sinbuzz | last post by:
Hi, I'm curious about the best way to avoid SQL Injection attacks against my web server. Currently I'm on IIS. I might be willing to switch...
16
by: shank | last post by:
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - - GET /sresult.asp...
2
Frinavale
by: Frinavale | last post by:
SQL Injection Attack A database is a collection of information organised in such a way that allows computer programs to access data (even large...
16
by: ChipR | last post by:
Since we're talking about filters, make sure you also use a filter for semicolons (at the minimum) on any input that is going directly into an SQL...
1
by: Kemmylinns12 | last post by:
Blockchain technology has emerged as a transformative force in the business world, offering unprecedented opportunities for innovation and...
0
by: Naresh1 | last post by:
What is WebLogic Admin Training? WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge...
0
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
2
by: Matthew3360 | last post by:
Hi, I have a python app that i want to be able to get variables from a php page on my webserver. My python app is on my computer. How would I make it...
0
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
0
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and...
0
hi
by: WisdomUfot | last post by:
It's an interesting question you've got about how Gmail hides the HTTP referrer when a link in an email is clicked. While I don't have the specific...
0
by: Carina712 | last post by:
Setting background colors for Excel documents can help to improve the visual appeal of the document and make it easier to read and understand....
0
by: Rahul1995seven | last post by:
Introduction: In the realm of programming languages, Python has emerged as a powerhouse. With its simplicity, versatility, and robustness, Python...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.