August 29, 2008 11:08pm pdt

1. hielo 774,162
2. b0lsc0tt 258,373
3. angelIII 169,870
4. dosth 154,320
5. _Stilgar_ 136,234
6. neeraj523 124,117
7. samic400 93,087
8. cedlinx 91,050
9. R_Harrison 69,145
10. CyrexCor... 53,295
11. ryancys 53,163
12. the_crazed 52,314
13. GreenGho... 51,889
14. cyberweb... 49,951
15. asvforce 49,032
16. pratima_... 46,572
17. kevp75 45,382
18. sybe 44,840
19. gawai 42,493
20. Badotz 40,640
21. chapmandew 40,230
22. deathtospam 38,350
23. jitganguly 35,810
24. bluefezteam 34,645
25. RobSamp... 32,066

1. fritz_the... 3,968,430
2. alorentz 1,929,293
3. amit_g 1,328,388
4. ap_sajith 921,034
5. hongjun 914,936
6. WMIF 899,748
7. kevp75 854,309
8. hielo 803,972
9. jitganguly 777,190
10. b0lsc0tt 772,507
11. peh803 684,060
12. angelIII 672,705
13. acperkins 650,524
14. Silvers5 625,555
15. GaryC123 576,095
16. carl_tawn 570,730
17. sybe 565,215
18. SquareHead 513,787
19. ryancys 510,650
20. neeraj523 508,598
21. deighc 466,721
22. apresto 450,527
23. golfDoctor 432,743
24. gladxml 426,072
25. mgfranz 418,620

05.22.2008 at 02:53PM PDT, ID: 23426027

	[x] Attachment Details

Looping through form input to sanitize before applying a stored procedure

Asked by pcardwell in Active Server Pages (ASP), Miscellaneous Security, Microsoft Visual Basic.Net

Tags: ASP, VBSCRIPT

Please indicate how to correct checking of form input, by using a RegExp that is proposed by jurgenl in the SQL attack question of http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html#a21582240.

The code snippet shows a shortened version of Jurgenl's include ASP, along with an attempt to loop through the form data looking for matches. Below is the ASP including this. At present this is not working at all as we want.

What we want is coding that:-
a) Loops through all the Request.Form parameters, searching for unacceptable text
b) Shows one message (not several) if bad text found in one or more fields
c) Stops the SP proceeding, as we don't want to insert the bad data into the dbStart Free Trial

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:

           
           
             THE INCLUDE FILE formfilter.asp
<%
' this creates a global regexp object g_bl for testing strings against sql injection
dim g_bl
set g_bl = New RegExp
g_bl.Pattern = "banner82|xp_|;|--|/\*|<script|</script|ntext|etc"
g_bl.IgnoreCase = true
g_bl.Multiline = true
%>
<% 
Dim errormessage
errormessage = "Please enter other input by clicking browser back button"
%>
<%
For Each s in Request.Form
  If g_bl.Test(Request.Form(s)) Then
  Response.Write errormessage  
  End If
Next
%>
 
THE ASP PAGE CALLING PARAMETERS FROM A FORM AND THE STORED PROCEDURE
<!--#include file="formfilter.asp" -->
<%
Dim Command1__ClientName
Command1__ClientName = NULL
if(Request.Form("ClientName") <> "") then Command1__ClientName = Request.Form("ClientName")
 
Dim Command1__TitleAgency
Command1__TitleAgency = NULL
if(Request.Form("TitleAgency") <> "") then Command1__TitleAgency = Request.Form("TitleAgency")
 
Dim Command1__ItineraryLong
Command1__ItineraryLong = NULL
if(Request.Form("ItineraryLong") <> "") then Command1__ItineraryLong = Request.Form("ItineraryLong")
 
MORE PARAMETERS ETC
%>
 
<%
set Command1 = Server.CreateObject("ADODB.Command")
Command1.ActiveConnection = MM_xxx_STRING
Command1.CommandText = "dbo.usp_STORED PROCEDURE"
ETC
%>

           
         

Keywords: Looping through form input to sanitize …

	Title
1	Little RegExp help?
2	How to Not match
3	Smurf Amplification Attack
4	vulnerabilities
5	Tomcat Vulnerability Question
6	Adobe Reader Cross-Site Scripting V…

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_2_20070628

Looping through form input to sanitize before applying a stored procedure

Asked by pcardwell in Active Server Pages (ASP), Miscellaneous Security, Microsoft Visual Basic.Net

Tags: ASP, VBSCRIPT

About this solution