Scrub Single Quotes from All Querystring Values

Our website is written in ASP Classic and requires a large number of form inputs and querystring values.  In order to prevent against SQL injection attack, I want to remove any single quotes when we request.form and request.querystring.  Instead of performing a REPLACE function on every input and querystring individually, is there a way to group them all together to run the REPLACE function?

For example, say we have a querystring fields named buyer, seller, product.  Instead of doing all three individually, like...Replace(request.querystring("buyer"), "'", "") Replace(request.querystring("seller"), "'", "") Replace(request.querystring("product"), "'", "")...is there a way to do all three at once?
jmbarattaAsked:
Who is Participating?
 
Big MontyConnect With a Mentor Senior Web Developer / CEO of ExchangeTree.org Commented:
sorry for the multiple posts :)

just a thought, if you loop through each one and store each value in an array, that would work.

counter = 0
dim arr()
for each val in Request.QueryString
   arr(counter) = Replace( Request.QueryString( val ), " ' ", " ' ' " )
   counter = counter + 1
next

You could also use a 2-D array and map the querystring variable name to its value. Depending on how many querystring values you have, it may or not be worth all of this.

B.D.
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
I believe you can do something like:

scrubbedQSValues = Replace( Request.QueryString, " ' ", " ' ' " )

I added spaces for clarity.

B.D.
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
The only problem here is you no longer can access each QS value by using Request.QueryString. You'd have to parse out each value a different way, which may not be worth the trouble.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
Göran AnderssonConnect With a Mentor Commented:
Replacing apostrophes in all input data doesn't protect you against SQL injections. If you use any numeric values, your site is still wide open.

Consider a query like:

strSQL = "select UserId, UserName from MyUsers where UserId = " & Request.QueryString("id")

You expect a query string like "?id=42". If someone instead sends you are query string like "?id=42;drop table MyUsers", your table is gone. There are no apostrophes in this SQL injection, so replacing apostrophes in all input data would not protect you the least bit.

You should treat each value according to how you use it in the SQL query, and you should be careful to distinguish between unverified data that comes from the browser, and properly verified data that you can safely use in an SQL query.

Also, you don't mention what database you are using. If you are using MySQL for example, just replacing apostrophes doesn't even protect the string values, you have to replace backslashes also.
0
 
jmbarattaAuthor Commented:
I am using MS SQL.  So should I try to protect against anything other than a single quote and semicolon?
0
 
Göran AnderssonCommented:
For MS SQL; you handle string value by replacing apostrophes with double apostrophes. Semicolons have no special meaning inside a string, so you shouldn't do anything to them.

For any numeric value, you should parse the value to a number in the ASP code, that way you are sure that there are no harmful characters in it:

lngId = CLng(Request.QueryString("id"))
strSQL = "select UserId, UserName from MyUsers where UserId = " & lngId
0
 
karunamoorthyCommented:
Hello jmbaratta,
Now it is a time to read and have a good understanding about sql injection and other related web secutiry threats papers like ............

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Have a good luck!
from
karunamoorthy
0
 
karunamoorthyCommented:
Hello jmbaratta,
Other interesting places to vist to for this web security topics are

CERT/cc www.cert.org
US-CERT www.us-cert.gov
CERT-In www.cert-in.gov.in
NIST www.nist.gov
SANS www.sans.org
OWASP www.owasp.org
W3C www.w3.org/security/Faq/

From
Karunamoorthy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.