One of my server has been compromised from this virus, and I can't seem to
block it out! I have shut down the infected server, but I need to figure
out how to check for this, and stop it.
The site is running iis5 on Windows2000, the backend DB is SQLServer 2000
Can anyone point me to some good resources for this? Code:
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me? In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs? Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear. i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
Is there any tool for debugging ASP scripts? I wanted to do some tracing and check whether the execution of my statements and queries are in the correct order or not.
Is it possible to "intercept" all calls to conn.execute and have them go to a checking routine that will either let the command go through or terminate it if it contains some illegal instructions? My clients company has had its hacker free status revoked due to the possibility of sql injection. I could put a function before every single conn.execute but we have hundreds of them. Just wondering if there is some way of telling it to do something else first. Maybe I can redefine conn.execute somehow?
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val) InjFix=SEncode(Trim(Replace(val,"'","''"))) end Function
Function SEncode(val) SEncode=Server.HtmlEncode(val) end Function
Function URLEncode(val) URLEncode=Server.URLEncode(val) end Function
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).....
i have a little commandlinetool, that returns a value (number) via stdio -how can i display this value on an asp-page?currently i use this "workaround": run the tool every 5mins (using thescheduler) and redirecting the output to a txt-file (tool.exe > temp.txt) and then i use the filesystem-object to read the value and display it on the webpage...
....but this is:
a) not realtime b) certainly not the best solution so what's the propper way to do that?
I've been looking for an upload tool for a long time now. I have little ASP programming experience, so I'd like to edit it as little as possible. Most tools I found had way too many options or not nearly enough. Here is exactly what I need:multiple file upload capability drop-down menu to choose which directory to put the files in no database support needed.
I have a website that is on a windows hosting. It's straight HTML site. I need a way to have a search on the site that can search HTML text. How can I do this in ASP? How do I index my site? Is indexing necessary?
What do you think the best design is for a search tool? Query Strings are commonly used. They are bookmarkable, yet unattractive.Form Submission to self keeps a clean address bar, but search results are not bookmarkable. My teammember likes the idea of using the FileSystemObject to generate a file EVERY TIME someone submits a search.
The file would contain a specific database query. It's bookmarkable and clean looking, but it generates a crapload of files.So far we have avoided the use of query strings in the web site. I think they would be acceptable for the search tool though. My teammember is steadfast about avoiding query strings however, and wants to use the last option. If there are any programmeres out there experienced with mid-size asp applications involving a similar search tool.
I am trying access a virtual directory I set-up through IIS and my web pages are built on asp. I also ran the IIS Lockdown tool on the server, and I have never been able to view the website. I know this is vague, but I am wondering if there are certain features turned on within the IIS lockdown that prevents you from viewing asp?
I am building a ASP financial reporting application. Here the user inputs quarterly financial information. The data obtained is being used for uploading a separate in-house application. The end-user should be in a postion to run reports on their own based on the quarterly information they furnish via the web applciation.
My question here is what is the best way to devleop reports in the asp applications so that users can view their own report online? Somebody suggested pure html reports. However, I believe there should be better ones which would be web based.
I am looking to build a desktop based notification tool which can be placed at tray bar. Well I have an asp script which checks my emails now I want to build a notification tool so that whenever I receive any new email the notification tool pop up a message at tray bar and show me that New email received.
I am thinking of mapping out a website. The website is very large and the reason I am doing this is to find out which files are redundant and how I can go about tidying up and simplifying the code.
Can anyone recommend any good mapping tools? I am working for a company which gets all the Microsoft development tools. If anyone can recommend a Microsoft tool that would be better as I would already have access to it.