Protecting Form Input Fields in Classic Asp

Posted on 2009-02-24
Medium Priority
Last Modified: 2012-05-06
I'm trying to be smart about protecting my user form. I've created INSERT stored procedure along with field validations (max/min length, numeric, etc...) and so on. What I don't understand how to do is protect my "Comment (textarea)"  field from having malicious code inserted into it. I keep reading that the best protection is through server-side, not client-side.

I'm just not sure if this is what I need and/or how to implement it. I found the following at http://forums.aspfree.com/asp-development-5/site-security-227390.html

I might need it explained in laymen terms.
Function ProtectSQLInjection(TxtData)
    TxtData = Replace (TxtData,"%","")
    TxtData = Replace (TxtData,"'","")
    TxtData = Replace (TxtData,"*","")
    TxtData = Replace (TxtData,"--","")
    TxtData = Replace (Txtdata, "'", "''" )
    TxtData = Replace (Txtdata, """", "" )
    TxtData = Replace (Txtdata, ")", "" )
    TxtData = Replace (Txtdata, "(", "" )
    TxtData = Replace (Txtdata, ";", "" )
    TxtData = Replace (Txtdata, "-", "" )
    TxtData = Replace (Txtdata, "|", "" )
    ProtectSQLInjection = TxtData
End Function

Open in new window

Question by:swaggerking
  • 5
  • 3
LVL 12

Expert Comment

ID: 23726088
If you have created a store procedure
the best way to protect from malicious posts is to call the store procedure with ADODB.Command and pass the parameters.

dim cmd as new ADODB.Command
cmd.CommandText = "sp_INSTERT"
cmd.Paramaters("@PARAM1")= Request.Form("txtParam1")
cmd.Connection = Your Connection

in this way all the input parameters are treated as text and nothing more
so if i write in your text area this ";DROP DATABASE MASTER" for example the result will be to insert into the table the text ";DROP DATABASE MASTER".

It's the most simple way to be protected from intrusions

Author Comment

ID: 23726705
Thanks for the quick response. The below snippet is what I've been currently using during my development stage. I've been using the ADODB.Command as you have suggested. I guess since I'm a newbie to the back-end of site development my terminology is still limited.

Will these steps also protect me from embedded js files?
I guess I'm also asking is there away to prevent user input from entering certain symbols <[/!]*?[^<>]*?>

Dim CMDaddprofile__Comments
CMDaddprofile__Comments = ""
if(Request("Comments") <> "") then CMDaddprofile__Comments = Request("Comments")
set CMDaddprofile = Server.CreateObject("ADODB.Command")
CMDaddprofile.ActiveConnection = MM_MyCONN_STRING
CMDaddprofile.CommandText = "dbo.sp_addprofile"
CMDaddprofile.CommandType = 4
CMDaddprofile.CommandTimeout = 0
CMDaddprofile.Prepared = true
CMDaddprofile.Parameters.Append CMDaddprofile.CreateParameter("@RETURN_VALUE", 3, 4)
CMDaddprofile.Parameters.Append CMDaddprofile.CreateParameter("@Comments", 200, 1,500,CMDaddprofile__Comments)
Dim CMDaddRedirectUrl
    CMDaddRedirectUrl = "http://mysite/success.asp"
    If (CMDaddRedirectUrl <> "") Then 
    'If it didn't succeed 
    End If
End If

Open in new window

LVL 12

Expert Comment

ID: 23726939
The Command Object and the parameters will protect you form SQL intrusion.
The user can input whatever he likes
this for example is valid
<script language="VBScript">
 Dim fs
Set fs=CreateObject("Scripting.FileSystemObject")
fs.DeleteFolder c:\temp,true
It will not create any problem on the SQL
but the script will be executed when it will be displayed in your ASP page
if you don't wont this chars (<[/!]*?[^<>]*?> ) to exist then toy can do a replace on them by calling the Server.HTMLEncode method if i remember correct (It may be Server.HTMLDecode i don't remember right now). That will translate the "<" to ">" so the result will be that the page will display the script written above. Only display it and not executed
Else you can call your posted function to replace the unwanted chars
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 12

Expert Comment

ID: 23726959
* That will translate the "<" to "& lt;" (wihout the space)

Author Comment

ID: 23727623
Gotcha on the Command Object. Your explanation made complete sense to me.

For HTML.Encode it might look something like TestOne. Which seems to be displaying ALL characters as text.
Not sure why I cannot get the replace to work for TestTwo.

<%Dim TestOne
	TestOne = Server.HTMLEncode(MyRecordSet("Comments") )
	Response.write TestOne
 <%Dim TestTwo
	TestTwo = Server.HTMLEncode(MyRecordSet("Comments") )
	TestTwo =Replace(TestTwo, &lt;,"<")
	Response.write TestTwo

Open in new window

LVL 12

Expert Comment

ID: 23727671
there is no need to do a replace the "& lt;" to "<" then "& lt;" will be displayed as < (I have writen exactly the same without space and you can see it as "<") so the browser does all the work for u.
In your sample you need to add the double quotes simbol in the & lt;, that's the reason your replace doesn't work.
LVL 12

Accepted Solution

Dimitris earned 2000 total points
ID: 23727733
do this test
what u will see is
<script language='VBScript'>
msgbox 1234
and the script will not be executed.

If you do the response.Write with out the server.HTMLEncode the script will be executed
dim s
s="<script language='VBScript'>" & vbcrlf
s= s & "msgbox 1234" & vbcrlf
s= s & "</script>" & vbcrlf
response.write Server.HTMLEncode(s)

Open in new window


Author Closing Comment

ID: 31550716
Thank you! You have been extremely helpful with each comment.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question