How safe does leaving request validtion on keep me? I mean would I be better off running replace statements on several harmful values that will go into a db, or should I keep it turned on? Some guy thought it would be fun to screw around on my clan site (got his ip, but that helps me none) and put in some bad values and then post in the news column you got hacked or some junk. Would keeping validate request on stop that? I am using mssql server 2000. I guess this question is mostly directed at cardboard hammer because we had that talk about deliminators and all.
Request validation? I'll look up the details when I get in to work tomorrrow, but what exactly that equates to is a bit fuzzy for me at the moment..
Anyhow, with user input going into a database and later being pulled to put text on a page, there are two major concerns: SQL injection and screwing up the HTML.
To prevent SQL injection, either:
--Use stored procedures and don't use EXEC on strings built from user input.
--Replace "'" with "''" in all user supplied text used in a querystring.
To prevent a user from tampering with the page's HTML (which can include putting malicious script into the page), use Server.HTMLEncode on all user supplied text that is to be written on the page. You can use Server.HTMLEncode either before storing the data to the database (only requires the overhead of encoding once) or after retrieving it (leaves the data as is so it is easier to use for general purposes).
Thanks for the tip on html encode. Ill do it when I get some free time... infact Ill do it now. Lemme google how to impliment it.
HTML encode is just
replace(string, "<", "<")
replace(string, ">", ">")
its just a tid bit shorter, but thats all it seems to do :/
Last edited by PeOfEo; 07-22-2004 at 02:30 PM.
To answer the original question, it doesn't look like validation is a simple cure to the issue. It appears that it's more convenient to handle validity as a seperate issue from textual content. If a string is supposed to have a certain format / length / whatever, validation is relevant to that. However, there may be legitimate reasons for a string to contain a "'" (punctuation in a sentence, for example) or other characters / combinations of characters that could cause problems if not treated correctly.
If the admins here decided that a submitted post containing HTML tag(s) was invalid, there'd be a heavy burden on end users who wanted to post code samples... They'd have to do the encoding themselves.
It also takes care of & as well, else "<" would show up as "<".
Ok this guy still found a way into my site. I have no idea how he is getting in, like where the point of entry is. This is an annoyance. I am going to have to look over all of my code. It would help if I knew how hackers break into stuff to know how he is breaking in . You think you would be willing to help me fix this problem, like maybe look at a few files? Its really crappily done, its my early work and I was not getting paid, but I do not want to completely redo it, so I was just hopeing to find the holes without having to recode it all. I thought he was putting some malitious stuff into my data base, but now I am not sure, he could be brute forceing my login form or something because I revampt the registration from so you cant put in html, but there are no new entries, I deleted the old ones changed passes, but he is still using some of the other accounts. I might move to a cookie based login to eliminate a session problem. Got any tips for how to make a login form secure? Like disableing html is good for a registration form because the data can be redisplayed, but on a login form the data is not redisplayed, its just matched with the db. I am using mssql server btw, so he is not simply downloading an access mdb and looking at the contents.
It looks like there was something like
' or 1=1 --
as a session id, which I do not understand.
I tried ' or 1=1 -- on my login form and it let me right in, very eye opening. I am going to replace some normal characters on that form, this is disturbing.
Last edited by PeOfEo; 07-22-2004 at 10:45 PM.
ok, cardboard hammer, do you know an easy way to check that a text box has letters A-Z a-z numbers 0 - 9 and - _ . ~ and nothing else? I was thinking I would have to go in with string statements and try to replace all bad values, or loop through the string and check each letter. I was just wondering if you knew a function or some easier way to do it. I have never needed to do it so I do not know how. I can probably figure it out if I think about it for a bit. But I just do not want to do a bunch of scripting if there is a premade solution.
I was gone from Thurs. night until just minutes ago, which is why I didn't reply sooner. I'll take a more careful look tomorrow, but replacing ' with '' in user input used to build querystrings (if you were using Access, you'd also need to replace " with "") and using Server.HtmlEncode on user input written to a page should be sufficient...
... I just looked again ... SQL injection is what's getting you: "' or 1=1 --" that turns the end of the query into " ... password = '' or 1=1 --'"
EDIT: since you have SQL Server, you should use stored procedures instead of querystrings, as stored procedures offer better performance and better security against SQL injection (only using EXEC on a string built with user input would make a stored procedure vulnerable).
Last edited by CardboardHammer; 07-24-2004 at 09:57 PM.
Ill look into stored procedures for future sites. Thanks.
Of course, I will not be using login forms like this ever again, I will be using forms auth.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)