?
Solved

Scrub Single Quotes from All Querystring Values

Posted on 2007-12-06
8
Medium Priority
?
1,189 Views
Last Modified: 2008-05-11
Our website is written in ASP Classic and requires a large number of form inputs and querystring values.  In order to prevent against SQL injection attack, I want to remove any single quotes when we request.form and request.querystring.  Instead of performing a REPLACE function on every input and querystring individually, is there a way to group them all together to run the REPLACE function?

For example, say we have a querystring fields named buyer, seller, product.  Instead of doing all three individually, like...Replace(request.querystring("buyer"), "'", "") Replace(request.querystring("seller"), "'", "") Replace(request.querystring("product"), "'", "")...is there a way to do all three at once?
0
Comment
Question by:jmbaratta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 33

Expert Comment

by:Big Monty
ID: 20420923
I believe you can do something like:

scrubbedQSValues = Replace( Request.QueryString, " ' ", " ' ' " )

I added spaces for clarity.

B.D.
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 20420943
The only problem here is you no longer can access each QS value by using Request.QueryString. You'd have to parse out each value a different way, which may not be worth the trouble.
0
 
LVL 33

Accepted Solution

by:
Big Monty earned 1000 total points
ID: 20420973
sorry for the multiple posts :)

just a thought, if you loop through each one and store each value in an array, that would work.

counter = 0
dim arr()
for each val in Request.QueryString
   arr(counter) = Replace( Request.QueryString( val ), " ' ", " ' ' " )
   counter = counter + 1
next

You could also use a 2-D array and map the querystring variable name to its value. Depending on how many querystring values you have, it may or not be worth all of this.

B.D.
0
Containers & Docker to Create a Powerful Team

Containers are an incredibly powerful technology that can provide you and/or your engineering team with huge productivity gains. Using containers, you can deploy, back up, replicate, and move apps and their dependencies quickly and easily.

 
LVL 29

Assisted Solution

by:Göran Andersson
Göran Andersson earned 1000 total points
ID: 20422005
Replacing apostrophes in all input data doesn't protect you against SQL injections. If you use any numeric values, your site is still wide open.

Consider a query like:

strSQL = "select UserId, UserName from MyUsers where UserId = " & Request.QueryString("id")

You expect a query string like "?id=42". If someone instead sends you are query string like "?id=42;drop table MyUsers", your table is gone. There are no apostrophes in this SQL injection, so replacing apostrophes in all input data would not protect you the least bit.

You should treat each value according to how you use it in the SQL query, and you should be careful to distinguish between unverified data that comes from the browser, and properly verified data that you can safely use in an SQL query.

Also, you don't mention what database you are using. If you are using MySQL for example, just replacing apostrophes doesn't even protect the string values, you have to replace backslashes also.
0
 

Author Comment

by:jmbaratta
ID: 20422299
I am using MS SQL.  So should I try to protect against anything other than a single quote and semicolon?
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20422412
For MS SQL; you handle string value by replacing apostrophes with double apostrophes. Semicolons have no special meaning inside a string, so you shouldn't do anything to them.

For any numeric value, you should parse the value to a number in the ASP code, that way you are sure that there are no harmful characters in it:

lngId = CLng(Request.QueryString("id"))
strSQL = "select UserId, UserName from MyUsers where UserId = " & lngId
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426170
Hello jmbaratta,
Now it is a time to read and have a good understanding about sql injection and other related web secutiry threats papers like ............

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Have a good luck!
from
karunamoorthy
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426192
Hello jmbaratta,
Other interesting places to vist to for this web security topics are

CERT/cc www.cert.org
US-CERT www.us-cert.gov
CERT-In www.cert-in.gov.in
NIST www.nist.gov
SANS www.sans.org
OWASP www.owasp.org
W3C www.w3.org/security/Faq/

From
Karunamoorthy
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
The viewer will learn how to dynamically set the form action using jQuery.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question