Solved

Scrub Single Quotes from All Querystring Values

Posted on 2007-12-06
8
1,172 Views
Last Modified: 2008-05-11
Our website is written in ASP Classic and requires a large number of form inputs and querystring values.  In order to prevent against SQL injection attack, I want to remove any single quotes when we request.form and request.querystring.  Instead of performing a REPLACE function on every input and querystring individually, is there a way to group them all together to run the REPLACE function?

For example, say we have a querystring fields named buyer, seller, product.  Instead of doing all three individually, like...Replace(request.querystring("buyer"), "'", "") Replace(request.querystring("seller"), "'", "") Replace(request.querystring("product"), "'", "")...is there a way to do all three at once?
0
Comment
Question by:jmbaratta
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 32

Expert Comment

by:Big Monty
Comment Utility
I believe you can do something like:

scrubbedQSValues = Replace( Request.QueryString, " ' ", " ' ' " )

I added spaces for clarity.

B.D.
0
 
LVL 32

Expert Comment

by:Big Monty
Comment Utility
The only problem here is you no longer can access each QS value by using Request.QueryString. You'd have to parse out each value a different way, which may not be worth the trouble.
0
 
LVL 32

Accepted Solution

by:
Big Monty earned 250 total points
Comment Utility
sorry for the multiple posts :)

just a thought, if you loop through each one and store each value in an array, that would work.

counter = 0
dim arr()
for each val in Request.QueryString
   arr(counter) = Replace( Request.QueryString( val ), " ' ", " ' ' " )
   counter = counter + 1
next

You could also use a 2-D array and map the querystring variable name to its value. Depending on how many querystring values you have, it may or not be worth all of this.

B.D.
0
 
LVL 29

Assisted Solution

by:Göran Andersson
Göran Andersson earned 250 total points
Comment Utility
Replacing apostrophes in all input data doesn't protect you against SQL injections. If you use any numeric values, your site is still wide open.

Consider a query like:

strSQL = "select UserId, UserName from MyUsers where UserId = " & Request.QueryString("id")

You expect a query string like "?id=42". If someone instead sends you are query string like "?id=42;drop table MyUsers", your table is gone. There are no apostrophes in this SQL injection, so replacing apostrophes in all input data would not protect you the least bit.

You should treat each value according to how you use it in the SQL query, and you should be careful to distinguish between unverified data that comes from the browser, and properly verified data that you can safely use in an SQL query.

Also, you don't mention what database you are using. If you are using MySQL for example, just replacing apostrophes doesn't even protect the string values, you have to replace backslashes also.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:jmbaratta
Comment Utility
I am using MS SQL.  So should I try to protect against anything other than a single quote and semicolon?
0
 
LVL 29

Expert Comment

by:Göran Andersson
Comment Utility
For MS SQL; you handle string value by replacing apostrophes with double apostrophes. Semicolons have no special meaning inside a string, so you shouldn't do anything to them.

For any numeric value, you should parse the value to a number in the ASP code, that way you are sure that there are no harmful characters in it:

lngId = CLng(Request.QueryString("id"))
strSQL = "select UserId, UserName from MyUsers where UserId = " & lngId
0
 
LVL 7

Expert Comment

by:karunamoorthy
Comment Utility
Hello jmbaratta,
Now it is a time to read and have a good understanding about sql injection and other related web secutiry threats papers like ............

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Have a good luck!
from
karunamoorthy
0
 
LVL 7

Expert Comment

by:karunamoorthy
Comment Utility
Hello jmbaratta,
Other interesting places to vist to for this web security topics are

CERT/cc www.cert.org
US-CERT www.us-cert.gov
CERT-In www.cert-in.gov.in
NIST www.nist.gov
SANS www.sans.org
OWASP www.owasp.org
W3C www.w3.org/security/Faq/

From
Karunamoorthy
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
"In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now