I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
View RepliesCan anyone find fault with this code? I wrote in in hopes of preventing users from "breaking" SQL queries and getting places they shouldn't by using SQL Injections.
Code: ....
Can anyone help me with an ASP function to perfom the following:
Series of page like this
item.asp?ItemId=2345
news.asp?NewsId=23456
Sale.asp?SaleId=344444
I need a function i can include in lots of pages that basically says
if query string is "ItemId" then only allow numerics of a maximum of 4
if query string is "NewsId" then only allow numerics of a maximum of 5
if query string is "SaleId" then only allow numerics of a maximum of 6
In all of the above query strings of 1,2,3 etc numerals must also work.
Any help appreciated as I'm in deep "poop" battling Chinese hackers.
I have a site that currently is password protected, using a combination of ldap authentication and asp session management.
So for every asp page, I check the session to make sure they're authenticated, if not I send them to the login page.
BUT.... there is a robohelp componenet that is almost a website within this website. All these robohelp files are htm or html based, so I'm unable to put asp scripting (to check for session authentication).
So, my problem is, how do i protect these pages using my existing framework?
I have a locally hosted (via an executable) asp application. Does anyone know what would be the best (cheapest) way to add copy protection in it?
The application is an exe web server with the asp pages embedded in the executable.
No one can copy the asp pages, but they can copy the executable and distribute it that way. I don't want them to do that.
If there is some sort of wrapper or asp code I could add to it for licensing or registration, please let me know.
After trying out 3/4 password scripts which I've used before and won't work today.I've come to the end of my tether! I need a ready made script asap to password protect a set of webpages, something simple with login and p/w for one user.
View Replies View RelatedI have a webpage. However I only want people to access it if they are members of a certain group. When I say group I mean Active Directory group. The log into windows with their Active Directory username and PW, and lets say they are members of 'employee1' group in Active Directory. I'm pretty sure I use ASP, to restrict access to a webpage depending on the users group. how I would go about doing this?
View Replies View RelatedHow do people protect input from forms submitted that are
dangerous such as scripts, etc..
help me with asp password protection? I need to have a login and register script as well as complete password protection.
View Replies View RelatedI have a webpage where user upload ms-word doc.. for supervisor, they can d/w the doc and print... but the normal user can just see the doc..
how to make ms-word password protetion only to normal user but not to supervisors?
we have a folder with pictures of signed up users. we are trying to protect this folder from the public in two ways. hide the relative path
e.g. /welcome/images/544235432.gif
makes it easy for a user to easily download this file . put a password and access the folder through this passwords .
where can I get straightforward step-by-step instructions to password protect part of a site?
View Replies View RelatedI've recently had my ASP site attacked by these stupid bots and have tried a captcha protection, but it doesn't help.
Here's the problem:
I have a form where people send an enquiry to a client from my database (over 5000). After hitting the submit button, an email is posted to the client, a copy is sent to us and the info is published to a database for record / stat keeping.
I have put the captcha protection in the form, but although the tests show that the captcha form works, the emails are still sent off, therefore allowing the bot attacks.
There must be a gap I can plug with the captcha before the email is posted off or info sent to the database.
I have a formchecker running which forces required fields, and that works fine. I'd like the captcha to work the same. Before the form goes to the confirmation page, it must validate the captcha.
What can I do?
Using ASP in a VBScript environment, how can I check the protection on a directory, or a
particular file?
I have been using two forms of password protection:
A) On working web sites I use an ASP script that is included in every page requiring protection: uses session - works fine
B) On quick test sites or temporary stuff I use the Windows Network Authentication provided by my web host. A whole folder is protected at once which is very convenient but it has a problem. If a user types the wrong password and is denied access, the next time they go to type the password, their browser sometimes remembers the wrong password as so they go straight to the 'access denied' 401 page.
How to proceed?
1) Does anyone know of a way of preventing all browsers from cacheing the login info.
2) Is there any way of using ASP to protect whole folders?
I need to be able to secure files on my web server. I am using asp to secure access to links and pages, for example:
<%If Session("manager")=FALSE Then%>
You are not authorized to view this page
<%Else%>
<<<Page Code>>>
<%End If%>
The place I'm running into problems is with files. I have a lot of charts and such in PDF version. I kind of doubt there is a way to secure these files with asp, but I thought it would be worth a try.
My biggest issue is that PDFs are stored in the browser's history, so once the page has been accessed, anyone using the browser can get to thatunsecured PDF. As a brute force fix, is there some way to simply erase the site from the browser history? If not, is there a way to secure the PDF, or does someone know of a better group to post on?
is there any way to protect files or a folder from unauthorised access, i.e.when a variable is false?
e.g.
when variable li = 1 then grant access to folder and files within
when variable li <> 1 then deny access
i have a folder with images and word documents i only want people with the variable set to 1 to be able to access them.is there a way?
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies View Relatedhow do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
I just wanted to share it with you guys and ask your opinions. Code:
View Replies View RelatedIs it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val)
InjFix=SEncode(Trim(Replace(val,"'","''")))
end Function
Function SEncode(val)
SEncode=Server.HtmlEncode(val)
end Function
Function URLEncode(val)
URLEncode=Server.URLEncode(val)
end Function
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
Code: ....
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies View RelatedI have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
Anyone got some good methods for preventing html-injection in ASP?
View Replies View RelatedI believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
THE FOLLOWING IS A CODE EXTRACT....
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).....
To sanitise the input from a form before it gets sent as an email, is it simply a matter of
Replace(Request.Form("formName"), " ' ", " ' ' ")
or is there more to it than that?
I have been given a site to redo. In the process of looking at the code, the live site is open to SQL injection. I know what needs to be done but limited time right now to redo correctly. In the interm while I am rewriting the site, will adding a few lines of code as below prevent SQL injection until I have the time to rebuild the functions and move to stored procedures.
Basically client side I added a onKeypress javascript routine to look for ' or " and disallow in login fields ....