One regular expression will not combat the wide variety of attacks. There
are several phases to protecting your site:
1. using validation to block some of the attacks and to log them. Fields
that have very strongly patterned data - dates, numbers, phone numbers - all
can be blocked with normal validators like CompareValidator
(Operator=DataTypeCheck) and RegularExpressionValidator (for the phone
number example). Free-form text fields are much harder to validate because
SQL was built upon the English language. So you might block "Drop me off"
because you are looking for the DROP Table command. Certainly, you don't
want to block free-form text that has a single quote because it's so often
used.
ALWAYS use server side validation to detect attacks because the hacker will
turn off javascript to work around any client-side scripts.
2. Neutralize all inputs. Assume the text gets passed your validators. For
SQL Injection, the recommendation is to make sure no SQL statements are
built on your page. Instead, use stored procedures and pass all parameters
using the SQLParameter objects of ADO.NET. Internally ADO.NET prepares all
inputs so they cannot cause an attack. (Effectively, single quotes are
treated as text instead of string delimiters.)
For Cross-site scripting attacks, use HtmlEncode before writing any text
from the user to the web form.
3. Don't allow the user to see exception error messages. Exceptions reveal
juicy information about your site's structure that hackers use to further
attack you. Log all exceptions and give the user a friendly page telling
them that there was an error.
FYI: I am the author of VAM: Visual Input Security
(
http://www.peterblum.com/vise/home.aspx), the only full system for blocking
and neutralizing SQL Injection and Cross-site scripting attacks on ASP.NET
web sites. It includes validators that can handle free-form text,
neutralization tools, logging and an auditing feature to confirm all inputs
on your page have defenses.
--- Peter Blum
www.PeterBlum.com
Email:
PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
"TCORDON" <tc******@hotmail.com> wrote in message
news:Og**************@TK2MSFTNGP10.phx.gbl...
What is the best way to protect a site against it? Does anyone have a
RegEx to help validate user input?
TIA!