Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Scrub Single Quotes from All Querystring Values

Posted on 2007-12-06
8
Medium Priority
?
1,192 Views
Last Modified: 2008-05-11
Our website is written in ASP Classic and requires a large number of form inputs and querystring values.  In order to prevent against SQL injection attack, I want to remove any single quotes when we request.form and request.querystring.  Instead of performing a REPLACE function on every input and querystring individually, is there a way to group them all together to run the REPLACE function?

For example, say we have a querystring fields named buyer, seller, product.  Instead of doing all three individually, like...Replace(request.querystring("buyer"), "'", "") Replace(request.querystring("seller"), "'", "") Replace(request.querystring("product"), "'", "")...is there a way to do all three at once?
0
Comment
Question by:jmbaratta
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 34

Expert Comment

by:Big Monty
ID: 20420923
I believe you can do something like:

scrubbedQSValues = Replace( Request.QueryString, " ' ", " ' ' " )

I added spaces for clarity.

B.D.
0
 
LVL 34

Expert Comment

by:Big Monty
ID: 20420943
The only problem here is you no longer can access each QS value by using Request.QueryString. You'd have to parse out each value a different way, which may not be worth the trouble.
0
 
LVL 34

Accepted Solution

by:
Big Monty earned 1000 total points
ID: 20420973
sorry for the multiple posts :)

just a thought, if you loop through each one and store each value in an array, that would work.

counter = 0
dim arr()
for each val in Request.QueryString
   arr(counter) = Replace( Request.QueryString( val ), " ' ", " ' ' " )
   counter = counter + 1
next

You could also use a 2-D array and map the querystring variable name to its value. Depending on how many querystring values you have, it may or not be worth all of this.

B.D.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 29

Assisted Solution

by:Göran Andersson
Göran Andersson earned 1000 total points
ID: 20422005
Replacing apostrophes in all input data doesn't protect you against SQL injections. If you use any numeric values, your site is still wide open.

Consider a query like:

strSQL = "select UserId, UserName from MyUsers where UserId = " & Request.QueryString("id")

You expect a query string like "?id=42". If someone instead sends you are query string like "?id=42;drop table MyUsers", your table is gone. There are no apostrophes in this SQL injection, so replacing apostrophes in all input data would not protect you the least bit.

You should treat each value according to how you use it in the SQL query, and you should be careful to distinguish between unverified data that comes from the browser, and properly verified data that you can safely use in an SQL query.

Also, you don't mention what database you are using. If you are using MySQL for example, just replacing apostrophes doesn't even protect the string values, you have to replace backslashes also.
0
 

Author Comment

by:jmbaratta
ID: 20422299
I am using MS SQL.  So should I try to protect against anything other than a single quote and semicolon?
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 20422412
For MS SQL; you handle string value by replacing apostrophes with double apostrophes. Semicolons have no special meaning inside a string, so you shouldn't do anything to them.

For any numeric value, you should parse the value to a number in the ASP code, that way you are sure that there are no harmful characters in it:

lngId = CLng(Request.QueryString("id"))
strSQL = "select UserId, UserName from MyUsers where UserId = " & lngId
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426170
Hello jmbaratta,
Now it is a time to read and have a good understanding about sql injection and other related web secutiry threats papers like ............

http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

Have a good luck!
from
karunamoorthy
0
 
LVL 7

Expert Comment

by:karunamoorthy
ID: 20426192
Hello jmbaratta,
Other interesting places to vist to for this web security topics are

CERT/cc www.cert.org
US-CERT www.us-cert.gov
CERT-In www.cert-in.gov.in
NIST www.nist.gov
SANS www.sans.org
OWASP www.owasp.org
W3C www.w3.org/security/Faq/

From
Karunamoorthy
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question