I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages.
My client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become:
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page ...
Does anyone know how to prevent the browser from automatically adding the password to a form after a user name is entered? I need to be able to over ride the brower setting so turning off the option in IE is not really a solution.
How do people go about preventing the user from submitting a form for a 2nd time? For example, the user submits a form, clicks on the back button, and the submits the form again. I have used various techniques in the past (depending on circumstances) but I'd be interested in the techniques you guys currently use.
how can i Create daynamic pages or static pages Automatic .? i have a problem with my website i want Create page asp classic to every member The page name equal the member name www.Micrsoft.com/Ashraf.asp . If i have 3000 members in my website it's possible to generate 3000 pages for everymember Automatic and if it is possible how can i do this ?my Tec. are ASp classic and java script .
I skinned an LMS (Learning Management System) using CSS and Javascript. The forms were skinned with niceforms.js, the site works perfectly in FF, IE 7 and IE6 but in ASP the javascript doesn't replace the images with the skinned elements. All the javascript functions initialize but the images are not placed in. Code:
How can I send the same form inforamtion to two different URL's while only redirecting to one URL.For example, I send the info from a form to page1.asp and page2.asp, but the page redirects to page2.asp?
I'm having a problem with a shared ssl cert from the host. I'm trying to pass 8 fields from an encrypted page to a redirect page that is encrypted and then to the final page which is also encrypted to store the data.
These page names are similar to the setup but are renamed here as: ....
How do I post an HTML form to multiple ASP pages? I need to do two things with my data at the same time and it would be very helpful if I could spawn the processes when the HTML form is posted, not through downstream ASP handling.
Assuming the following code actually worked, I'd like to take data entered from one form and post it to two different locations. Hypothetically, I have a server in NY and one in LA that I want to get the same information.
Users enter data using HTML forms and it gets processed by an asp page that enters the data into the database. What I am trying to do is get a "confirm" page set up that will make sure the form was completed properly. If it is completed successfully, then the data from the form needs to be forwarded onto another asp page that will enter the data into the database.
My question is, what is the best way to forward the information on? Currently I am using querystring to handle this, but that doesn't work in some situations especially when one of my forms has a <textarea> box that seems cumbersome to send via querystring.
Is there a method I can use to easily forward the data from the form to subsequent pages after the first one ?
I have downloaded a Image Upload componet and incorporated it into my existing code. It is working great. My issue is that I cannot call a field from another table in SQL. On insert.htm, I can do this:
ptrack = Clng(Request.QueryString("tracknumber")) And I can get the tracking number of the specific client.
If I try to do this in insert.asp, it doesn't work. I have read other posts regarding this and I still cant get it to work. Like I mentioned before, it is a tracknumber, so its a numeric. Code:
I am going to have a form on one page that will have a bunch of options(checkboxes, radio buttons, text areas, text fields, etc.) and these options are going to deal with a certain category. Each category will have different options. Now after this form is filled out they will then proceed to another page to fill out contact information. Name, Addy, State, City, etc.
Now, after they fill this contact form out they will submit it and then it will go through a database and depending on what state and county they are in it will email the information from both forms to the email addresses in the database that match that state and county(as well as category). Now dont worry I aint wondering how to actually search the db and all that yet.
All I want to know right now is how do you remember the first forms information while you go to the second page to fill out the contact information? Using cookies? What? I dont want the form input to be displayed on the second page, just remembered.
So I will select all my options from the first form and fill out all the text areas and fields and all that then click on the Next button or whatever, then fill out contact info.
How do I get it to retain BOTH forms information, and for now just display both of them on a third page(like I said I will worry about the db query and email crap later). I hope this makes sense.
I'm using if for when the user deletes a record from the database. People using the website try and delete more than one record at a t time by placing commas between the IDnumber ie. 1,2,5,9 etc.
This creates an error. So instead of this error appearing, how can I get a small alert box telling hte user he/or she has entered the wrong data type?
I've got multiple pages on the same server that all have the same drop down boxes in them. It is a list of all our facilities. Every time there is a change, I have to change it on every page. They are in the format below. Is there an easy way to store all that data in a text file so I only have to update it one place?
In ASP classic pages,I want to know if it's possible to prevent session variables from becoming zero length strings? I have tried setting the Session.Timeout to a large value, but alwas, after 20 minutes, my session variable times out. I also tried setting the session timeout in IIS manager to a high value, but this did no good either.I just want to allow one particular session variable to last a long time.
I have a permission tracking app that I am working on, and I have made the insert page for it. I am having issues on how to prevent duplicates from getting entered.
Currently the interface for the app has a mixture of select boxes, list boxes and checkboxes. The form submits the page to processAIMR.asp and then does the inserting. I am using a loop to insert a new record for each checkbox checked or listbox entry selected. Code:
I have a form that sends info to a preview page, then to a thank you page. The thank you page gets the data passed from the rpeview page and sends an email.
How can I prevent the user from refreshing the page, so it doesn't send the email again.
I would like to prevent a user from logging in with their user/password combination on a different computer or even a different browser window, if they are already logged in. I have a login page, from which I use a DB check to verify user/password info. Also, I have a bit loggedIN field in the DB, which I use to see if they are currently logged in; if so, I prevent them from logging in a second time.
Unless they click the "Log Out" button, then the DB value does not get changed. Any suggestions as to how I can log them out, even if they simply close the browser window or jump to a different page?
For instance here's a simple select statement Code:
("SELECT a, b,c d, e, f FROM Table WHERE a = "&CInt(j)&" and c= 0")
j is a dimmed variable which is a and it's numeric. Is the above protected against any non numeric instances? Like j=2,345..i've tested this and it works i'm just trying to see if i've covered all my tracks.
Is there a way in ASP to prevent including the same file more than once?
Example:
dbutil.asp needs constants.asp, so I include constants.asp inside dbutil.asp.
transact.asp also needs constants.asp, so I include constants.asp inside transact.asp.
transact.asp doesn't need stuff in dbutil.asp, and dbutil.asp doesn't need stuff in transact.asp.
Then later I might have a main.asp that needs both dbutil.asp and transact.asp. So I include them both. However, the constants.asp will be found to be included twice!
What can I do to creatively prevent multiple inclusion of the same file in ASP? I know how to do it in C and C++, but I can't apply that to ASP, it seems.
I have created an Intranet in my office using ASP (of course). Within it is a booking system, allowing booking of conference rooms, digital camera and other equipment. It works perfectly...almost, as there is no way to prevent double bookings.
I really don't know where to begin with this one. All bookings go to an Access DB, into a single table. The bookings have a start time and an end time (24hr).
I would like it so that when the user submits the form, if there is a clash in times instead of saying, thanks for your booking, to redirect them back to the booking page saying there is already a booking for this time and that I am very sorry!
I guess I have to check some value in access and return the info back to the webpage before it chooses where to redirect the user.
I am developing a Simple ASP Website with a login page. I want to know how can I change Session ID after login and also Close the current Session after User closes the Window or gets logged out of the Website. So that every time user logs in into the website, Session ID will be unique.
We have 2 domains for internal purposes: one for users (have to login and domain has SSL) and another for sponsors (have to login and domain does NOT have SSL).
Now when a user logs in and there are pages that have info from the sponsors domain, users are asked to login again with a warning message saying if they want to see secure and nonsecure information. How can I bypass the second login? Is there something I can do in active directory, IIS, or ASP to not have the second login appear?
How can I prevent this from happening? For example when the asp application works in a public terminal where we don't want successive users to know the login password and user name of the previous ones?
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me? In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs? Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear. i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Is it possible to "intercept" all calls to conn.execute and have them go to a checking routine that will either let the command go through or terminate it if it contains some illegal instructions? My clients company has had its hacker free status revoked due to the possibility of sql injection. I could put a function before every single conn.execute but we have hundreds of them. Just wondering if there is some way of telling it to do something else first. Maybe I can redefine conn.execute somehow?