Solved

Scrub Single Quotes from All Querystring Values

Posted on 2007-12-06
8
1,176 Views
Last Modified: 2008-05-11
Our website is written in ASP Classic and requires a large number of form inputs and querystring values.  In order to prevent against SQL injection attack, I want to remove any single quotes when we request.form and request.querystring.  Instead of performing a REPLACE function on every input and querystring individually, is there a way to group them all together to run the REPLACE function?

For example, say we have a querystring fields named buyer, seller, product.  Instead of doing all three individually, like...Replace(request.querystring("buyer"), "'", "") Replace(request.querystring("seller"), "'", "") Replace(request.querystring("product"), "'", "")...is there a way to do all three at once?
0
Comment
Question by:jmbaratta
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 32

Expert Comment

by:Big Monty
ID: 20420923
I believe you can do something like:

scrubbedQSValues = Replace( Request.QueryString, " ' ", " ' ' " )

I added spaces for clarity.

B.D.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 20420943
The only problem here is you no longer can access each QS value by using Request.QueryString. You'd have to parse out each value a different way, which may not be worth the trouble.
0
 
LVL 32

Accepted Solution

by:
Big Monty earned 250 total points
ID: 20420973
sorry for the multiple posts :)

just a thought, if you loop through each one and store each value in an array, that would work.

counter = 0
dim arr()
for each val in Request.QueryString
   arr(counter) = Replace( Request.QueryString( val ), " ' ", " ' ' " )
   counter = counter + 1
next

You could also use a 2-D array and map the querystring variable name to its value. Depending on how many querystring values you have, it may or not be worth all of this.

B.D.
0
 
LVL 29

Assisted Solution

by:Göran Andersson
Göran Andersson earned 250 total points
ID: 20422005
Replacing apostrophes in all input data doesn't protect you against SQL injections. If you use any numeric values, your site is still wide open.

Consider a query like:

strSQL = "select UserId, UserName from MyUsers where UserId = " & Request.QueryString("id")

You expect a query string like "?id=42". If someone instead sends you are query string like "?id=42;drop table MyUsers", your table is gone. There are no apostrophes in this SQL injection, so replacing apostrophes in all input data would not protect you the least bit.

You should treat each value according to how you use it in the SQL query, and you should be careful to distinguish between unverified data that comes from the browser, and properly verified data that you can safely use in an SQL query.

Also, you don't mention what database you are using. If you are using MySQL for example, just replacing apostrophes doesn't even protect the string values, you have to replace backslashes also.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:jmbaratta
ID: 20422299
I am using MS SQL.  So should I try to protect against anything other than a single quote and semicolon?
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20422412
For MS SQL; you handle string value by replacing apostrophes with double apostrophes. Semicolons have no special meaning inside a string, so you shouldn't do anything to them.

For any numeric value, you should parse the value to a number in the ASP code, that way you are sure that there are no harmful characters in it:

lngId = CLng(Request.QueryString("id"))
strSQL = "select UserId, UserName from MyUsers where UserId = " & lngId
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426170
Hello jmbaratta,
Now it is a time to read and have a good understanding about sql injection and other related web secutiry threats papers like ............

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Have a good luck!
from
karunamoorthy
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426192
Hello jmbaratta,
Other interesting places to vist to for this web security topics are

CERT/cc www.cert.org
US-CERT www.us-cert.gov
CERT-In www.cert-in.gov.in
NIST www.nist.gov
SANS www.sans.org
OWASP www.owasp.org
W3C www.w3.org/security/Faq/

From
Karunamoorthy
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to dynamically set the form action using jQuery.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now