Checking POST Vars For SQL INJECTION
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping them i want to save them back into the post results. The reason for this is because I have coded the entire app and just learned about the dangers of SQL Injection and rather than going through every post var and fix it I would rather run a function at the beginning of each page.
View Replies
ADVERTISEMENT
How do you check for a empty value from a form?
lservice = request.form("pservice")
if not isnull(lservice) then <== this doesnt work.
tried "" empty string and it still didnt work.
......
I'm having problems with the fact the user didnt enter anything. The field is optional.
View Replies
View Related
it's that time again. Time to learn a new language, and I picked ASP. I've got this:
<asp:HyperLinkField DataTextField="BeenPaid" DataNavigateUrlFields="BeenPaid,BillName" HeaderText="BeenPaid" DataNavigateUrlFormatString="Default2.aspx?BeenPaid={0}&BillName={1}" ItemStyle-HorizontalAlign="Center" />
It works fine, it makes links of the stuff that is pulled outa the database. An example url it made is:
Default2.aspx?BeenPaid=False&BillName=Verizon
how do I get those vars out of the url in the Default2.aspx page. In php it was $_GET["BeenPaid"]
View Replies
View Related
I have an application that uses SQL extensively. However some of what it
uses SQL for (the results) are fairly static and change in the database very
rarely. Would it be more efficient to store this information in application
variables rather than doing SQL queries each time? Its a pretty heavily
utilized application. Would application variables be able to handle the
traffic?
View Replies
View Related
Is possible to terminate all session variable created
without closing the browser
I do not want users to click on BACK button on browser or paste the url link
in the http:// and shows the record displayed after logout. This works fine
if users close the Browser.
View Replies
View Related
I'm sure we've all heard the warnings about using cookies instead of session variables to store all of that user data so that our servers don't get bogged down. I'm just wondering how serious is this. I mean, is it just a suggestion or do these variables really take up a large amount of memory per visitor?
"Why would it matter? Just use cookies!" might be your response. Well, say I'm creating a user backend to edit a news section for a company. Now, I realize that the company newsletter is not mission critical information, but my novice-programming gut will not let me sit at ease if I store usernames and passwords in cookie data. What's to prevent someone else from looking at that local machine and fake my cookies, or even directly login with the information contained there-in?
For a recent backend along these lines, I stored a custom class in a session variable (all of you hardcore ASP guys can take a deep breath and stop twitching ). The class basically contained a copy of that user's database record (a user id, the username, the password, the e-mail address, and a few different permission variables).
I did this for two reasons:
1) I filtered all of my content through default.asp (meaning that each url looked something like default.asp?p=events where p was the real page request). Doing this allowed me to simply check the user's credentials in the default.asp script and then server.transfer them to the real page contained in the p querystring variable. I used the session-stored class after the first login (so I didn't have to hit the DB with each page request but could still make sure they had access to the site).
2) I knew before-hand that this system was only going to be used by 10-15 people max, and only 1 or 2 would be logged on at a time, let alone most of the idle time when no one was logged in (basically, it was a very low-load system so I didn't mind being unconventional). Code:
View Replies
View Related
I'm involved in quite a large project which has a slightly unusual
form of login (at least I think it's unusual!). I'm creating a site in
ASP (actually Chilisoft ASP) where access to all pages has to be
secured via login. The odd bit is that while the login page will be on
this site, the login process itself will be carried out on a
completely separate domain - this is the client's requirement so I
have no choice.
On login, the user will be assigned a 24 hour cookie by this 2nd
domain and then be passed back to the site I'm involved with. My site
then needs to assign a similar cookie (I'm assming that I won't be
able to read the other domain's cookie) and allow access to the site
for 24 hours.
I'm wondering if it's most efficient to assign a session variable to
indicate the user is logged in once my cookie has been generated
(rather than have every page check for a cookie again) and on
subsequent sessions during the 24 hour period to 1st check for session
var, then the cookie and then, if cookie exists, to assign the session
variable again.
View Replies
View Related
is there a quick way to reset all the used session variables onb a server in one hit rather than using Code:
session("xx")=""
for each one.
View Replies
View Related
I'm trying to get a page included into another page, and so far I've been using Server.execute("home.asp") without any problems ['home.asp' is just an example], but now I' m trying to get this to work:
server.execute("home.asp?foo=bar")
but to no avail. Code:
View Replies
View Related
I've got a software package that generates nice roll-over menus. The code generated is javascript. I want to edit the javascript to prevent specific menu buttons from appearing based on security/permissions settings. These permissions are contained in ASP session vairables. So, in the js I want to check for an ASP session("perms")... If I place <% if ... %> in the js file--it errors.
View Replies
View Related
I have a prob passing some vars from an .swf to an .mdb using a n .asp file. When I use the getURL command instead of loadVariablesnum, I am getting this error:
"Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC Microsoft Access Driver] Number of query values and destination fields are not the same.
/processForm.asp, line 112"
I have counted the query values and destination fields a hundred times, but they are both exactly 100.
View Replies
View Related
how do I get the xmlsource? in php its just this line of code: include($_GET['xmlsource']);
View Replies
View Related
I was wondering if there was a way to pass the entire collection of ASP
Session variables into a COM function.
Inside COM, I need to have something like
Public Function ProcessVars(ByRef Session as <SomeSessionVarType>)
End Function
Which reference do I need to include in my VB6 project?
View Replies
View Related
I guess this is a continuation of my erlier problem which I thought I had solved.
I have several inputs being passed from one page where they are inputed in, to a preview page so the user can chek there info, then it will be passed to a page to submit the info to a data base.
I have a input that is the item description var name of �prodesc�. It pass from the input page to the preview page just fine. Then I use the same method to pass it to the next page to save it to a data base, but when it gets to the submit page the var �prodesc� only has the first word of the description that was shown on the previous page? Any one know why its acting like its been trimmed? Code:
View Replies
View Related
Developed a basic ASP web site with MS Access 2k3 as a database
back end. I've developed it on two different Win2k3 servers, and app works
flawlessly on both.
However, we just moved it to a client's Win2k3 Server,
and it's not holding any session variables. It IS, however, holding
Application variables, but not session variables.
I checked all the usual
things (MS KB, ASPFAQ, etc), but none of them provided any solution. The
only difference I can find between the three servers is that one has the
Enhanced IE Security whosiwhatsis loaded, whereas mine don't.
View Replies
View Related
for debugging purposes, I am wondering if it is possible to have an ASP script that:
-creates a tabel with two columns
-writes a var name in the first column
-writes its value in the second column
is this possible? Right now, I have manually created this tabel for myself, but everytime a new var is defined, I have to update my 'debug' table. Can this be automated?
View Replies
View Related
a customer already has a website with ASP pages to request a call from a salesman... and it emails HQ with about 20 form values and also emails the customer.
what we'd like to do in a simple way is store those 20 fields somewhere they can be downloaded as well, instead of messing with the emails. but i don't want to mess with any rdbms (cause we don't have access to the server--- long story) so i'm wondering if some simple commands can just write the data to a physical file somewhere in webroot so it can be downloaded at a later time.
View Replies
View Related
Is there a way to 'force' a submit on a form with out actually allowing the
user to press a button ? For example...
step1: A from is filled out by a user, then they click the submit button.
step2: The form is 'post'ed to an ASP page which writes the values to a
database. So far No problems. But..
step3: Now I want to 'post' these values again to another page without any
user interaction.
My ideas were:
1) I know you can get the form values from Request.Form("myVar"), so I
thought of making a 'dummy' form and setting the 'values' of the form
variables to these Request.Form("myVar") valiables, but I don't know how to
'submit' them to another page again.
2) Is there some type of 'submit' command in ASP?
View Replies
View Related
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
View Replies
View Related
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
how do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
View Replies
View Related
I have written several site functions to hopefully prevent against cross-site hacking, sql injection, and url encoding. I also have a symetric key encryption that is pretty basic (which isn't posted here and is total overkill). I was wondering if these functions are protecting well enough, or am I missing some tests?
Function InjFix(val)
InjFix=SEncode(Trim(Replace(val,"'","''")))
end Function
Function SEncode(val)
SEncode=Server.HtmlEncode(val)
end Function
Function URLEncode(val)
URLEncode=Server.URLEncode(val)
end Function
View Replies
View Related
I am using the method below to make sure that the query isNumeric and not longer than 4. It's a little snippet I found in another post... It works fine but I'm questioning whether it's enough.
URls like this, itemdetail.asp?-=#&ItemID=906, don't throw any errors because the "ItemID=906" is fine. Does the method used below really protect against SQL Injections in this case?
Code: ....
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
View Replies
View Related
Anyone got some good methods for preventing html-injection in ASP?
View Replies
View Related
I have allways validated user input to pieces prior to integrating it into a SQL statement, in order to avoid SQL Injection attacs. A colleague of mine told me that binding my vars would make them SQL scalar, but I have been left in the dark as to HOW... The web left me none the wiser, as well, so here goes: Anyone got a brief example of binding vars in ASP to get me started?
View Replies
View Related
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
View Replies
View Related
I have just started a new job and I'm in charge of the databases at a college. We have a web page that the students can access to see their profile and course details. which is causing problems.
The students have to login into an e-learning site called moodle which is fine (moodle is all written in php). They can from there just browse moodle which has news and a message board etc. They can then also click a link to their profile, it is then directed to an asp page but it uses their login details from the php moodle site to retrieve their details from the database and display on the asp web page.
THE FOLLOWING IS A CODE EXTRACT....
View Replies
View Related
I have a multi-page ASP web application that uses information sent to it from the client in the Request.Forms collection, the Request.QueryString collection and the Request.Cookie collection.
What I want to do is to sanitise ALL the information sent to EVERY page.
I thought I'd achieve this by having an INCLUDE file inserted at the top of EVERY page.
This include file iterates through EVERY form, querystring and cookie item and removes anything that looks like malicious SQL injections from the values. Having completed this task, the many web pages then access the sanitised Request object with impunity.
One minor drawback is that it doesn't seem to work...I can't update the Request object with the sanitised value. [Error message: VBScript runtime error: Object doesn't suppor this property or method]
Either it's something silly in my coding or it's the wrong approach....please advise accordingly (code below).....
View Replies
View Related