November 18, 2008 11:42pm pst

1. hielo 940,507
2. b0lsc0tt 305,548
3. angelIII 191,240
4. dosth 182,340
5. _Stilgar_ 157,314
6. neeraj523 131,917
7. cedlinx 96,200
8. samic400 96,137
9. R_Harrison 88,570
10. CyrexCor... 69,720
11. ryancys 61,163
12. bluV11t 60,955
13. gawai 56,643
14. GreenGho... 55,949
15. the_crazed 55,314
16. CCongdon 54,650
17. cyberweb... 53,815
18. deathtospam 52,450
19. pratima_... 52,172
20. kevp75 51,006
21. asvforce 49,032
22. chapmandew 47,730
23. golfDoctor 46,997
24. DanielWilson 46,905
25. TimCottee 45,950

1. fritz_the... 3,970,430
2. alorentz 1,929,293
3. amit_g 1,328,388
4. hielo 970,317
5. ap_sajith 921,034
6. hongjun 914,936
7. WMIF 899,748
8. kevp75 859,933
9. b0lsc0tt 819,682
10. jitganguly 782,862
11. angelIII 694,075
12. peh803 684,060
13. acperkins 658,528
14. Silvers5 625,555
15. GaryC123 576,095
16. carl_tawn 572,230
17. sybe 565,215
18. ryancys 518,650
19. neeraj523 516,398
20. SquareHead 515,787
21. deighc 466,721
22. apresto 450,527
23. golfDoctor 449,643
24. gladxml 429,512
25. mgfranz 418,620

05.22.2008 at 02:53PM PDT, ID: 23426027

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.7

Looping through form input to sanitize before applying a stored procedure

Asked by pcardwell in Active Server Pages (ASP), Miscellaneous Security, Microsoft Visual Basic.Net

Tags: ASP, VBSCRIPT

Please indicate how to correct checking of form input, by using a RegExp that is proposed by jurgenl in the SQL attack question of http://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html#a21582240.

The code snippet shows a shortened version of Jurgenl's include ASP, along with an attempt to loop through the form data looking for matches. Below is the ASP including this. At present this is not working at all as we want.

What we want is coding that:-
a) Loops through all the Request.Form parameters, searching for unacceptable text
b) Shows one message (not several) if bad text found in one or more fields
c) Stops the SP proceeding, as we don't want to insert the bad data into the dbStart Free Trial

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:

           
           
             THE INCLUDE FILE formfilter.asp
<%
' this creates a global regexp object g_bl for testing strings against sql injection
dim g_bl
set g_bl = New RegExp
g_bl.Pattern = "banner82|xp_|;|--|/\*|<script|</script|ntext|etc"
g_bl.IgnoreCase = true
g_bl.Multiline = true
%>
<% 
Dim errormessage
errormessage = "Please enter other input by clicking browser back button"
%>
<%
For Each s in Request.Form
  If g_bl.Test(Request.Form(s)) Then
  Response.Write errormessage  
  End If
Next
%>
 
THE ASP PAGE CALLING PARAMETERS FROM A FORM AND THE STORED PROCEDURE
<!--#include file="formfilter.asp" -->
<%
Dim Command1__ClientName
Command1__ClientName = NULL
if(Request.Form("ClientName") <> "") then Command1__ClientName = Request.Form("ClientName")
 
Dim Command1__TitleAgency
Command1__TitleAgency = NULL
if(Request.Form("TitleAgency") <> "") then Command1__TitleAgency = Request.Form("TitleAgency")
 
Dim Command1__ItineraryLong
Command1__ItineraryLong = NULL
if(Request.Form("ItineraryLong") <> "") then Command1__ItineraryLong = Request.Form("ItineraryLong")
 
MORE PARAMETERS ETC
%>
 
<%
set Command1 = Server.CreateObject("ADODB.Command")
Command1.ActiveConnection = MM_xxx_STRING
Command1.CommandText = "dbo.usp_STORED PROCEDURE"
ETC
%>

           
         

Keywords: Looping through form input to sanitize …

	Title
1	Little RegExp help?
2	How to Not match
3	Smurf Amplification Attack
4	vulnerabilities
5	Tomcat Vulnerability Question
6	Adobe Reader Cross-Site Scripting V…

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_2_20070628

Looping through form input to sanitize before applying a stored procedure

Asked by pcardwell in Active Server Pages (ASP), Miscellaneous Security, Microsoft Visual Basic.Net

Tags: ASP, VBSCRIPT

About this solution