www.webdeveloper.com
Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30

Thread: Validate Your Input!

  1. #16
    Ubik's Avatar
    Ubik is offline <%= "New Meja Hor" %>
    Join Date
    Nov 2005
    Location
    Earth
    Posts
    361
    How can this be hacked?
    --Ubik

    If I have no idea what you are talking about, then I will pretend I know and answer accordingly.

    Thinking about starting a New Thread entitled 'Please Help Me!' ? Read this!

  2. #17
    Join Date
    Nov 2006
    Posts
    104
    Quote Originally Posted by YongHee
    ===================================

    You can use Replace Function

    For example

    ex) Dim user_name : user_name = Request("user_name")

    user_name = Replace(user_name, " ' " , " ' ' ")
    Yeah .. this is easiest fix.

    --
    Riz
    www.PDFonFLY.com - generate free pdf online

  3. #18
    Join Date
    Oct 2006
    Posts
    1,297
    Quote Originally Posted by Ubik
    Dunno why this hasn't been said, but if you are lazy like me, you can still dump raw user input into the db using:

    PHP Code:
    server.URLencode(trim(request.form("rawdata"))) 
    as far as I can tell, you cannot SQL Inject that in any way.

    Can YOU think of a way to inject SQL hacks into that?
    Quote Originally Posted by russell
    don't rely on that. it can still be hacked. easily.
    Quote Originally Posted by Ubik
    How can this be hacked?
    No answer, Russell?

  4. #19
    Join Date
    Feb 2003
    Posts
    2,745
    think "buffer overflow" and "site traversal." remember, a hacker isn't going to use a web browser. he/she'll post garbage at your server via a script or compiled program.

    also, why purposely allow errors (which can give the user too much information), instead of preventing 'em?

    it will stop the newbies though.

    sorry i never noticed this thread being updated for a while. dang, and i even asked AB to make it a sticky!...

  5. #20
    Join Date
    May 2009
    Posts
    1
    you'll never be 100% safe from injection hacks although the more you do the better.

  6. #21
    Join Date
    Feb 2003
    Posts
    2,745
    sure you will. if you use proper coding practices -- validate all input for data type and length...and in many cases, origin.

  7. #22
    Join Date
    Jun 2010
    Posts
    1

    Question Need a Little Help....

    Hi Russell seems ur a pro that I was looking for...
    actually i am a beginner to ASP and Server-Side scripting...I am doing a project for my college 'Attendance Record' and I am working with code(half done) on my laptop... But I dont know that when I will give it to my college and (if)they will copy it on the server then will it work the same way(completely error less) if accessed from a client????
    if not give me link of basics required.....please Help....Thank You

  8. #23
    Join Date
    Apr 2010
    Posts
    57
    When I hear about using parameterized queries is this what they are talking about?

    Dim user
    user = Trim(Request("user"))
    user = Replace(user, "'", "''")

    If len(user) < 1 Then
    Response.Write "Please Enter your user name"
    Exit Sub
    End If

    sql = "SELECT someFields " &_
    "FROM myTable " &_
    "WHERE user = '" & user & "' " &_
    "ORDER BY someField"

  9. #24
    Join Date
    Apr 2010
    Posts
    57
    Is this a "quicker/as safe" alternative?

    If len(Replace(user, "'", "''")) < 1 Then
    Response.Write "Please Enter your user name"
    Exit Sub
    End If

    sql = "SELECT someFields " &_
    "FROM myTable " &_
    "WHERE user = '" & Replace(user, "'", "''") & "' " &_
    "ORDER BY someField"

  10. #25
    Join Date
    Feb 2003
    Posts
    2,745
    Ok, I haven't been around for a year or so...

    A few things:
    1. For EVERY field that you submit to the database, escape single quotes by doubling them up. This prevents 99% of the hacks and keeps the wannabe crackers out.

    2. Validate data types. If you're expecting an integer value, test it to be sure b4 throwing it at the db, or doing any further processing.

    3. Always specify maxlength in your HTML forms. For example, if your city field in your database is specified as varchar(30) then put a MAXLENGTH of 30 in the HTML form.

    4. ALWAYS check HTTP_REFERER. If it doesn't come from your domain, reject it -- unless you're purposely exposing it outside.

    Validate cookies, querystrings, form vars. In short, everything.

    Before releasing any code, test it. Enter a single quote in every form field. Enter a single quote in any querystrings. If you get an error, it can be hacked.

    Create a regular expression library and use it to validate everything.

    Use paramaterized queries. This eliminates most of the garbage folks will try to throw at you.

    Compared to when I made this post, today's servers and browsers are a lot more secure. But it only takes one mistake and you'll get hacked.

  11. #26
    Join Date
    Oct 2012
    Posts
    47
    I'm sure that most of the FO will agree that validate Magento in the interface to form input fields are a nice feature. All it takes is for you to add some classes CSS to input fields are then run the model to validate delivery of products which, by default, messages colored red to indicate failure to validate possible etc. This is done to validate on the client side by Java script.

  12. #27
    Join Date
    Oct 2012
    Location
    Pereira/Colombia
    Posts
    1
    to be able follow instructs from prof Mandelevich,how do I enable scripting permitions;also where is my my IIS; my Osystem is Win XP.Help please. Rick

  13. #28
    Thanks you share info nice . @@

  14. #29
    Code is implemented in asp net programming. I love this language and thank you for sharing meaningful information this.

  15. #30
    Join Date
    Feb 2003
    Location
    Michigan, USA
    Posts
    5,773
    A lot has changed in .NET land since this thread was started. ORM libraries for Visual Basic and C# have sprung up that work around these shortcomings, plus they provide you the benefit of not having to write SQL.

    Check out the Entity Framework from Microsoft.

    An open source alternative is NHibernate.

    Building on NHibernate is an implemenation of the Active Record interface popularized by Ruby on Rails (namely the Active Record class library in Ruby): Castle Active Record.

    Utilizing a modern .NET framework like Microsoft's MVC project is another great way. Form validation is baked in and can be declared in your programming code, not ASP. I've also used FluentValidation, which can be plugged into the MVC framework, to provide data validations that are easily unit testable.

Thread Information

Users Browsing this Thread

There are currently 3 users browsing this thread. (0 members and 3 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles