Validate Your Input!

[Ubik]

How can this be hacked?

[mrizwan]

===================================

You can use Replace Function

For example

ex) Dim user_name : user_name = Request("user_name")

user_name = Replace(user_name, " ' " , " ' ' ")

Yeah .. this is easiest fix.

--
Riz
www.PDFonFLY.com - generate free pdf online

[so_is_this]

Dunno why this hasn't been said, but if you are lazy like me, you can still dump raw user input into the db using:

PHP Code:

server.URLencode(trim(request.form("rawdata"))) 


as far as I can tell, you cannot SQL Inject that in any way.

Can YOU think of a way to inject SQL hacks into that?

don't rely on that. it can still be hacked. easily.

How can this be hacked?

No answer, Russell?

[russell]

think "buffer overflow" and "site traversal." remember, a hacker isn't going to use a web browser. he/she'll post garbage at your server via a script or compiled program.

also, why purposely allow errors (which can give the user too much information), instead of preventing 'em?

it will stop the newbies though.

sorry i never noticed this thread being updated for a while. dang, and i even asked AB to make it a sticky!...

[aspdevelopment]

you'll never be 100% safe from injection hacks although the more you do the better.

[russell]

sure you will. if you use proper coding practices -- validate all input for data type and length...and in many cases, origin.

[avais]

Hi Russell seems ur a pro that I was looking for...
actually i am a beginner to ASP and Server-Side scripting...I am doing a project for my college 'Attendance Record' and I am working with code(half done) on my laptop... But I dont know that when I will give it to my college and (if)they will copy it on the server then will it work the same way(completely error less) if accessed from a client????
if not give me link of basics required.....please Help....Thank You

[Square1]

When I hear about using parameterized queries is this what they are talking about?

Dim user
user = Trim(Request("user"))
user = Replace(user, "'", "''")

If len(user) < 1 Then
Response.Write "Please Enter your user name"
Exit Sub
End If

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & user & "' " &_
"ORDER BY someField"

[Square1]

Is this a "quicker/as safe" alternative?

If len(Replace(user, "'", "''")) < 1 Then
Response.Write "Please Enter your user name"
Exit Sub
End If

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & Replace(user, "'", "''") & "' " &_
"ORDER BY someField"

[russell]

Ok, I haven't been around for a year or so...

A few things:
1. For EVERY field that you submit to the database, escape single quotes by doubling them up. This prevents 99% of the hacks and keeps the wannabe crackers out.

2. Validate data types. If you're expecting an integer value, test it to be sure b4 throwing it at the db, or doing any further processing.

3. Always specify maxlength in your HTML forms. For example, if your city field in your database is specified as varchar(30) then put a MAXLENGTH of 30 in the HTML form.

4. ALWAYS check HTTP_REFERER. If it doesn't come from your domain, reject it -- unless you're purposely exposing it outside.

Validate cookies, querystrings, form vars. In short, everything.

Before releasing any code, test it. Enter a single quote in every form field. Enter a single quote in any querystrings. If you get an error, it can be hacked.

Create a regular expression library and use it to validate everything.

Use paramaterized queries. This eliminates most of the garbage folks will try to throw at you.

Compared to when I made this post, today's servers and browsers are a lot more secure. But it only takes one mistake and you'll get hacked.

[TheTechguys]

I'm sure that most of the FO will agree that validate Magento in the interface to form input fields are a nice feature. All it takes is for you to add some classes CSS to input fields are then run the model to validate delivery of products which, by default, messages colored red to indicate failure to validate possible etc. This is done to validate on the client side by Java script.

[eaguayo@trabajo]

to be able follow instructs from prof Mandelevich,how do I enable scripting permitions;also where is my my IIS; my Osystem is Win XP.Help please. Rick

[kizipro57]

Thanks you share info nice . @@

[kizipro57]

Code is implemented in asp net programming. I love this language and thank you for sharing meaningful information this.