IIS 6 SQL Injection Sanitation ISAPI Wildcard
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this application was designed with MS SQL
Server in mind, it can be used with no or minimal changes with other database
engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0
which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT
support ISAPI Wildcard.
View Replies
ADVERTISEMENT
anyone know how to use this component, am i right in thinking that it will
convert something like
default.asp?pageid=100&cat=74 to
default,100,74.html (or something similar)
?
View Replies
View Related
I believe that ISAPI can convert a search engine friendly url string into a
querystring? does anyone have any tutorials about using this feature in ASP?
View Replies
View Related
Isapi is installed and rules are working. Now I have to change the links of my shopping cart from dynamic to url friendly.
How can I change the internal links of my cart in an automatic manner (some script maybe)? I am trying to avoid to go trhought the proces of 'seach and replace'.
I know it is possible to do it in PHP with one scripf for each kind of friendly url link. I am wondering if this can be done in ASP, better said, if the scripts are already done ready to adapt as I am not a coder.
View Replies
View Related
I have ASP pages that calls some ISAPI dll that created using Delphi for
generating reports. The report page opens fine for 1st time when invoked but
next time i get error like "Name not unique in this context."
My quesry string pass to dll like:
.../ReportsDLL/NameOfDLL.dll?PatID=100578&ThpID=12&State=FL
I think after the DLL is loaded it is not freeing the memory and not
unloading the dll from memory. SO How can i free memory used by the DLL or
unload the DLL from within the ASP page that load the url to
window.location?
How can I free the objects / DLL that I loaded from the ASP page using the
above querystring?
Note: I think the delphi code that is written for DLL is working fine as It
works fine for 1st time.
View Replies
View Related
I have ASP pages that calls some ISAPI dll that created using Delphi for generating reports. The report page opens fine for 1st time when invoked but next time i get error like "Name not unique in this context."My quesry string pass to dll like:
.../ReportsDLL/NameOfDLL.dll?PatID=100578&ThpID=12&State=FL
I think after the DLL is loaded it is not freeing the memory and not unloading the dll from memory. SO How can i free memory used by the DLL or unload the DLL from within the ASP page that load the url to window.location? How can I free the objects / DLL that I loaded from the ASP page using the above querystring?I think the delphi code that is written for DLL is working fine as It works fine for 1st time.
View Replies
View Related
Im looking for help in setting up an url rewrite using ISAPI Rewrite. The componet is installed on my server which is win2003. What Im looking to set up an asp page or whatever to rewrite url: domain/MyAd/66 so it will point to domain/homeDetail.asp?AD_ID=66 . I also want to be sure that I dont screw up my search engine visablity with this. Looking for some help, examples, etc.
View Replies
View Related
I have a script which checks the current page name and write out a certain class if it's true to achieve an active menu item effect.
I want to expand upon it a little and have it check for any pages beginning with business rather than list business_dir_info.asp?id=2517 where there are loads of ids. At the moment it's just set to check for business.asp which is the top level page, is there any sort of wildcard character I can use?
View Replies
View Related
Var1 's content can be "errorone" o "errortwo" or "good". I need to detect if there is "errorone" or "errortwo" with the If clause. How can I do that using the wildcard?
Example that doesnt work: if var1 = *"error"* then
View Replies
View Related
Dear all, if in asp. i wanna to use the command request.querystring to check the URl. For example, my item when passing to next form will be either 4 or 6 character. How do i tell asp what to do if the string pass 4 character and if it pass 6 character.
My code example for 4 character is A100, 6 character is A10001. different number of character will have to perform different task for me.
I try to use "?" as wildcard but it fail Btw if i had stored chiense character in ACCESS, but when it go thru asp n display on IE, it show "???" instead of the chinese character.
View Replies
View Related
I am trying to show a series of movies on a web page. All of the movies are the same width, but have different heights. When I take out the width and height parameters, the pictures display fine, but the movies get the bottom cut off. When I put the parameters back, it stretches out the images to fit the entire box. Any way to make the height parameter a wildcard?
<<%=whattouse%> src="Upload/<%=(RS1.Fields.Item("xmedia_asset").Value)%>"
width="320" height="300" align="left" loop="false" controller="true"
autoplay="false"></<%=whattouse%>>
View Replies
View Related
I have the following SQL statement that returns a result set based on the exact input stored in a session variable
If reqname <> "" Then
strSQL = strSQL & "AND(ABR_REQUESTOR='" & reqname & "')"
The variable “reqname” is set to a session variable.
I amended the SQL to do a wildcard search instead of searching for the exact string stored in the Session variable:
I altered the SQL as follows:
strSQL = strSQL & "AND(ABR_REQUESTOR LIKE '" & reqname & "%')"
The problem is the field ABR_REQUESTOR stores the first and last name separated by a space...i.e. John Smith
Using the above SQL will return John Smith if I use J, Jo, Joh.
But, if I want to search for Smith by using S, or Sm, etc. it won't work.
I need to alter the statement to look for anything after a space?
View Replies
View Related
I have an Access database. I am using a dropdown search box. One of the options is "Search All States" and I set the value to %. In the recordset on the results page, I have the default set to %. Here is the SQL statement:
SELECT *
FROM ClientInfo
WHERE State = 'varState'
and varState = Request.Form("State")
However, I get no results when choosing this option in the dropdown Code:.
View Replies
View Related
In an ecommerce situation, when a category link is clicked, my results page shows the category name at the top of the page
This is working great apart from when a search is done without specifying category eg from the search page
So for example Results.asp?Category=%25&Keyword=&Submit=Search
This gives all products in the results page but just gives the last category name in the table as the heading
I would like to write a condition that just presents a static message eg �Results� when the search wildcard % is passed Code:
View Replies
View Related
I want to post a wildcard IP in a varchar field in my mysql table so when I call it in the script it shows up giving that entire range of IP's. I've tried doing it like.
24.129.184.* but it doesn't seem to work.
View Replies
View Related
Not sure if this is possible but, is there any way to search a variable like,
var = "I like to play jazz"
If "jazz" * = var then ( If the word jazz is included in the variable then)
response.write "Found Match"
end if
View Replies
View Related
what I want to do is get read a database entry and if it doesn't start with http:// then I want to include it.
I can't figure out what to use as a wildcard in the first line though
IF rsGuestbook("VisitorHome") = "http://" THEN
%>
<a href="<%=rsGuestbook("VisitorHome")%>" target="_blank">Name:
<%
ELSE
%>
<a href="http://<%=rsGuestbook("VisitorHome")%>" target="_blank">Name:
<%
END IF
View Replies
View Related
I'm trying to compare a form field from the previous page & write a response in the html on the current page. e.g
if (form field value) is like "Custom" then write Correct or else write Incorrect. Here's the code I have curently Code:
<%If (Request("RangeColour")) = ("Custom*") Then Response.Write("Correct") : Response.Write("")else Response.Write("Incorrect")%>
I've tried *, &, ? but they don't appear to work. I've also tried like "Custom*" but I receive an error about a sub or function not being declared.
View Replies
View Related
I have a little script that is supposed to check for a certain value in a db column, and then do something if that particular calue is present:Code:
...<%ElseIf rsIDK.Fields.Item("my_column").Value = "/default.asp" then ...
The problem is that my_column can contain up to 300 characters, so the code above doesn't work. What I really need is a wildcard at the end of "/default.asp" but I don't really know the correct way of doing this.
View Replies
View Related
I have a form where a user can choose one or more options from drop-down menus to search the db :
service
town
county
The id's are all numbers in a MySql database. I have put the default param for each search as % and this only changes if the relevant search option is chosen: Code:
View Replies
View Related
I'm trying to pass the wildcard variable % to another page via
request.querystring.
When I go to pick up the variable through request.querystring, it will
never diplay the "%" if one is included. It will diplay any other
characters included in the variable though.
Code from page 1:
<%response.write "<a href='Page_2.asp?Severity=" & varCombo_Severity &
"&Owner=" & varCombo_Owner & "'>" & "<i> Go to Page 2 </i>" & "</a>"
%>
Code from page 2:
<%varCombo_Severity = Request.Querystring ("Severity")%>
<%varCombo_Owner = Request.Querystring ("Owner")%>
Result: No % wildcards are passed though to page 2
Any ideas?
View Replies
View Related
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
View Replies
View Related
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
how do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
View Replies
View Related
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val)
InjFix=SEncode(Trim(Replace(val,"'","''")))
end Function
Function SEncode(val)
SEncode=Server.HtmlEncode(val)
end Function
Function URLEncode(val)
URLEncode=Server.URLEncode(val)
end Function
View Replies
View Related
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
Code: ....
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
View Replies
View Related
Anyone got some good methods for preventing html-injection in ASP?
View Replies
View Related
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
View Replies
View Related
