www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 30

Thread: Validate Your Input!

Hybrid View

  1. #1
    Join Date
    Feb 2003
    Posts
    2,745

    Validate Your Input!

    If you connect to a database with your server side scripts, the most important task you have to do, is to validate the input before sending it to your database. We see things like this over and over again:

    sql = "SELECT someFields " &_
    "FROM myTable " &_
    "WHERE user = '" & Request("user") & "' " &_
    "ORDER BY someField"

    This is just begging for trouble. Your site is a stting duck for SQL Injection attacks, whereby users will purposely input invalid data in an attempt to hack in. If you aren't checking the inputs before sending them to the database, eventually someone's coming in.

    A better way to write the above query is something like this:

    Dim user
    user = Trim(Request("user"))
    user = Replace(user, "'", "''")

    If len(user) < 1 Then
    Response.Write "Please Enter your user name"
    Exit Sub
    End If

    sql = "SELECT someFields " &_
    "FROM myTable " &_
    "WHERE user = '" & user & "' " &_
    "ORDER BY someField"

    If you are using MS SQL Server, use stored procedures, learn the Command Object syntax, and abandon all other methods to access the database from applications wherever possible.

    The problem with the original query is that one can purposely enter some bad things:
    z'; delete from myTable--
    z' union select name, dbid from master..sysdatabases--

    It doesn't matter what databse you use, nor what scripting language you use. If you don't properly validate input server-side, you're asking for trouble. Things to check for:
    - if u expect a number, make sure it IS one
    - if you expect a string, check that it is greater than zero length, if you know how long it should be, make sure it is that long
    - escape single quotes in string input by doubling them up.

    Remember to validate all input: this means Post, Get and Cookie input. Even if it is a hidden form element, validate it. A hacker won't use his web browser (for long) to get in, he's going to write a script to post garbage at ya, and see if he can crack in.

    I won't go into more detail as there are some good references, and of course a quick search on your favorite SE will pull up more.

    http://www.nextgenss.com/papers/adva..._injection.pdf (PDF)

    http://66.102.7.104/search?q=cache:e...njection&hl=en (HTML of above)

    http://www.securiteam.com/securityre...DP0N1P76E.html

    http://www.unixwiz.net/techtips/sql-injection.html

    boy that would be cool if AB would stick-*** this for a while...

  2. #2
    Join Date
    May 2005
    Posts
    53
    This is some good stuff for beginers.... Keep it up

  3. #3
    Join Date
    Jun 2005
    Posts
    39
    Many thanks from me GOOD JOB!

  4. #4
    Join Date
    Aug 2005
    Posts
    1
    [B]give me some database connectivity ASP codes which may connect to MSaccess or oracle

  5. #5
    Join Date
    Oct 2005
    Posts
    59

    Thumbs up

    This is exactly what I've been looking for. Thank you

  6. #6
    Join Date
    Nov 2005
    Posts
    187

    Thanks

    useful information!

  7. #7
    Join Date
    Mar 2006
    Location
    philippines
    Posts
    23
    nice! im doing it without knowing the importance. keep it up!

  8. #8
    Join Date
    Feb 2006
    Location
    Springfield, MO
    Posts
    71
    Quote Originally Posted by russell
    It doesn't matter what databse you use, nor what scripting language you use. If you don't properly validate input server-side, you're asking for trouble. Things to check for:
    - if u expect a number, make sure it IS one
    - if you expect a string, check that it is greater than zero length, if you know how long it should be, make sure it is that long
    - escape single quotes in string input by doubling them up.
    When you say escape single quotes in input by doubling them up can you explain that for me.

    i am storing a textbox in a variable then use the insert value of
    Code:
    '" & variable & "'
    how can i avoid the db error if someone enters something like o'reilly's?
    Buzzards got to eat same as worms.

  9. #9
    Join Date
    Feb 2003
    Posts
    2,745
    how can i avoid the db error if someone enters something like o'reilly's?
    Change it to o''reilly''s.

    notice that is two single quotes ' becomes ''

  10. #10
    Join Date
    Apr 2005
    Location
    Hastings, Sussex, UK.
    Posts
    244
    A particular and very common oversight is login scripts that aren't sanitised.

    Checkout the basic example below:

    Code:
    Dim strUsr
    Dim strPass
    Dim strLogin
    strUser = Request.Form("usr")
    strPass = Request.Form("pass")
    strLogin = "SELECT * FROM tblUsers WHERE usr=" & strUser & " AND pass=" & strPass
    From this point it is common to then query the database and check the recordset for a result. If you get a result then it must be OK so let's proceed. If this sounds familiar, then think again. It's dangerous and SQL injections are the reason why.

    If I pass:

    Code:
    Usr: ' OR 1 = 1
    Pass: ' OR 1 = 1
    to the ASP above then the SQL will produce a result when queried. Hey Presto! I'm in and I haven't got a password.

    SQL produced:

    Code:
    SELECT * FROM tblUsers WHERE usr='' OR 1=1 AND pass='' OR 1=1
    The rule is, as stated above, strip quotes from login scripts and always read the database results, don't rely on the fact the recordset object produces a result.

    Another point is some databases allow concurrent queries which are seperated by a semicolon so another dangerous injection would be:

    Code:
    Usr: ';DROP TABLE tblUsers;
    This doesn't always have to affect the database as never ending JavaScript alert box loops can also be injected. Harmless when stored but a browser crasher when rendered.

    Code:
    <script type="text/javascript">
    var i;i=1;while(i>0){alert("Stoopid")}i++;
    </script>
    There are literally hundreds of ways of injecting code into databases for malicious purposes so always screen the users input.

  11. #11
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    2
    Quote Originally Posted by russell
    Change it to o''reilly''s.

    notice that is two single quotes ' becomes ''



    ===================================

    You can use Replace Function

    For example

    ex) Dim user_name : user_name = Request("user_name")

    user_name = Replace(user_name, " ' " , " ' ' ")

  12. #12
    Join Date
    Nov 2006
    Posts
    104
    Quote Originally Posted by YongHee
    ===================================

    You can use Replace Function

    For example

    ex) Dim user_name : user_name = Request("user_name")

    user_name = Replace(user_name, " ' " , " ' ' ")
    Yeah .. this is easiest fix.

    --
    Riz
    www.PDFonFLY.com - generate free pdf online

  13. #13
    Join Date
    Feb 2006
    Location
    China
    Posts
    72
    boy that would be cool if AB would stick-*** this for a while...
    -------------
    why so many '&_' ?

  14. #14
    Join Date
    Aug 2006
    Location
    Earth
    Posts
    2
    usually we use include file for validation function or user function.


    Function.asp

    Function fncReplaceDBString(vPstring)

    Dim vUtmp : vUtmp = Trim(vPstring)


    If Len(vUtmp) > 0 Then

    vUtmp = Replace(vUtmp, "'", "''")
    vUtmp = Replace(vUtmp, "<", "&lt;")
    vUtmp = Replace(vUtmp, ">", "&gt;")
    vUtmp = Replace(vUtmp, "&", "&amp;")
    vUtmp = Replace(vUtmp, Chr(34), "&#34")
    vUtmp = Replace(vUtmp, Chr(37), "&#37")
    vUtmp = Replace(vUtmp, Chr(39), "&#39")
    vUtmp = Replace(vUtmp, Chr(64), "&#64")
    vUtmp = Replace(vUtmp, Chr(96), "&#96")
    vUtmp = Replace(vUtmp, Chr(13)&Chr(10),"<br>")

    End If

    fncReplaceDBString = vUtmp

    End Function

    ==================
    test.asp

    Dim user_name : user_name = fncReplaceDBString(Request("user_name"))

  15. #15
    Ubik's Avatar
    Ubik is offline &lt;%= &quot;New Meja Hor&quot; %&gt;
    Join Date
    Nov 2005
    Location
    Earth
    Posts
    361
    Dunno why this hasn't been said, but if you are lazy like me, you can still dump raw user input into the db using:

    PHP Code:
    server.URLencode(trim(request.form("rawdata"))) 
    as far as I can tell, you cannot SQL Inject that in any way.

    Can YOU think of a way to inject SQL hacks into that?


    Usr: ' OR 1 = 1 becomes:
    PHP Code:
    INSERT INTO TABLE (COLUMNVALUES ('usr%3a+%27+or+1+%3d+1'); 
    Usr: ';DROP TABLE tblUsers; becomes:
    PHP Code:
    SELECT TABLE.COLUMN WHERE USERNAME='usr%3a+%27%3bdrop+table+tblusers%3b'
    --Ubik

    If I have no idea what you are talking about, then I will pretend I know and answer accordingly.

    Thinking about starting a New Thread entitled 'Please Help Me!' ? Read this!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles