Classic ASP question...replacing form variable values programmatically?

Toggle sidebar Toggle sidebar
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
I need to prevent some SQL injection on existing forms. Is there a method that I can do, say like:
Code: 
Function SQLFix(myVariable)

	' single quote ok
	myVariable = Replace(myVariable, "'", "''" )

	' no double quotes
	myVariable = Replace(myVariable, """", "" )

	' no parenthesis
	myVariable = Replace(myVariable, ")", "" )
	myVariable = Replace(myVariable, "(", "" )

	' no semi-colon
	myVariable = Replace(myVariable, ";", "" )

	' no dash
	myVariable = Replace(myVariable, "-", "" )

	' no pipe
	myVariable = Replace(myVariable, "|", "" )

	SQLFix = myVariable
end Function

for x = 1 to Request.Form.count() 
       Request.Form.item(x) = SQLFix(Request.Form.item(x))
next

Thanks
Å
 
Cogman

Cogman

Lifer
Sep 19, 2000
10,284
138
106
I don't know where the documentation for it is, but the ODBC, and most SQL APIs support parameter binding. I would be shocked if ASP classic didn't support it as well.

Essentially with ODBC parameter binding your query string looks like this

Select bob from tim where joe=? and steve=?
with a bind that would look something like
Bind(userinput1, 0);
Bind(userinput2, 1);

If you want to prevent it yourself, be careful, it isn't a simple task. The most effective "self made" input validation methods don't attempt to remove invalid characters, instead, they describe what input data should look like, and remove characters that aren't valid.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
I'd like to use it to clean up XSS attacks too.

This is for Hacker Safe. They are reporting some input fields show may allow for blind SQL injection and some XSS openings. I am trying to fix a ton of pages quickly.
 
Cogman

Cogman

Lifer
Sep 19, 2000
10,284
138
106
Cleaning up XSS attacks should, ideally, be done when you are outputing, not when you are getting input. Luckly, XML is really pretty easy to put out clean output, it is just a replacement of < and > with their equivalent.
 
Cogman

Cogman

Lifer
Sep 19, 2000
10,284
138
106
In other words, your process should go something like this.

1. Reject invalid input.
2. Bind parameters into query
3. Clean output.

If you can't do #2, you might still be able to get away with it. Just realize that it is less secure then doing all 3.

Here is a pretty good article about a secure design. Ideally it is implemented from the ground up. http://www.securityninja.co.uk/secure-development
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
It's going to be the output back to the page. If I was just dealing input, I could just take care of it on the server-side. The problem happens when I am showing the user the mistakes they made.

These are going to all be simple user entry forms. I will take a look at the link.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom