troubleshooting Question

Looping through form input to sanitize before applying a stored procedure

Avatar of pcardwell
pcardwell asked on
ASPSecurityVisual Basic.NET
12 Comments1 Solution2264 ViewsLast Modified:
Please indicate how to correct checking of form input, by using a RegExp that is proposed by jurgenl in the SQL attack question of https://www.experts-exchange.com/Security/Vulnerabilities/Q_23408074.html#a21582240.

The code snippet shows a shortened version of Jurgenl's include ASP, along with an attempt to loop through the form data looking for matches. Below is the ASP including this. At present this is not working at all as we want.

What we want is coding that:-
a) Loops through all the Request.Form parameters, searching for unacceptable text
b) Shows one message (not several) if bad text found in one or more fields
c) Stops the SP proceeding, as we don't want to insert the bad data into the db
THE INCLUDE FILE formfilter.asp
<%
' this creates a global regexp object g_bl for testing strings against sql injection
dim g_bl
set g_bl = New RegExp
g_bl.Pattern = "banner82|xp_|;|--|/\*|<script|</script|ntext|etc"
g_bl.IgnoreCase = true
g_bl.Multiline = true
%>
<% 
Dim errormessage
errormessage = "Please enter other input by clicking browser back button"
%>
<%
For Each s in Request.Form
  If g_bl.Test(Request.Form(s)) Then
  Response.Write errormessage  
  End If
Next
%>
 
THE ASP PAGE CALLING PARAMETERS FROM A FORM AND THE STORED PROCEDURE
<!--#include file="formfilter.asp" -->
<%
Dim Command1__ClientName
Command1__ClientName = NULL
if(Request.Form("ClientName") <> "") then Command1__ClientName = Request.Form("ClientName")
 
Dim Command1__TitleAgency
Command1__TitleAgency = NULL
if(Request.Form("TitleAgency") <> "") then Command1__TitleAgency = Request.Form("TitleAgency")
 
Dim Command1__ItineraryLong
Command1__ItineraryLong = NULL
if(Request.Form("ItineraryLong") <> "") then Command1__ItineraryLong = Request.Form("ItineraryLong")
 
MORE PARAMETERS ETC
%>
 
<%
set Command1 = Server.CreateObject("ADODB.Command")
Command1.ActiveConnection = MM_xxx_STRING
Command1.CommandText = "dbo.usp_STORED PROCEDURE"
ETC
%>
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 12 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros