Protecting Form Input Fields in Classic Asp

Posted on 2009-02-24
Last Modified: 2012-05-06
I'm trying to be smart about protecting my user form. I've created INSERT stored procedure along with field validations (max/min length, numeric, etc...) and so on. What I don't understand how to do is protect my "Comment (textarea)"  field from having malicious code inserted into it. I keep reading that the best protection is through server-side, not client-side.

I'm just not sure if this is what I need and/or how to implement it. I found the following at

I might need it explained in laymen terms.
Function ProtectSQLInjection(TxtData)

    TxtData = Replace (TxtData,"%","")

    TxtData = Replace (TxtData,"'","")

    TxtData = Replace (TxtData,"*","")

    TxtData = Replace (TxtData,"--","")

    TxtData = Replace (Txtdata, "'", "''" )

    TxtData = Replace (Txtdata, """", "" )

    TxtData = Replace (Txtdata, ")", "" )

    TxtData = Replace (Txtdata, "(", "" )

    TxtData = Replace (Txtdata, ";", "" )

    TxtData = Replace (Txtdata, "-", "" )

    TxtData = Replace (Txtdata, "|", "" )

    ProtectSQLInjection = TxtData

End Function

Open in new window

Question by:swaggerking
    LVL 12

    Expert Comment

    If you have created a store procedure
    the best way to protect from malicious posts is to call the store procedure with ADODB.Command and pass the parameters.

    dim cmd as new ADODB.Command
    cmd.CommandText = "sp_INSTERT"
    cmd.Paramaters("@PARAM1")= Request.Form("txtParam1")
    cmd.Connection = Your Connection

    in this way all the input parameters are treated as text and nothing more
    so if i write in your text area this ";DROP DATABASE MASTER" for example the result will be to insert into the table the text ";DROP DATABASE MASTER".

    It's the most simple way to be protected from intrusions

    Author Comment

    Thanks for the quick response. The below snippet is what I've been currently using during my development stage. I've been using the ADODB.Command as you have suggested. I guess since I'm a newbie to the back-end of site development my terminology is still limited.

    Will these steps also protect me from embedded js files?
    I guess I'm also asking is there away to prevent user input from entering certain symbols <[/!]*?[^<>]*?>

    Dim CMDaddprofile__Comments
    CMDaddprofile__Comments = ""
    if(Request("Comments") <> "") then CMDaddprofile__Comments = Request("Comments")
    set CMDaddprofile = Server.CreateObject("ADODB.Command")
    CMDaddprofile.ActiveConnection = MM_MyCONN_STRING
    CMDaddprofile.CommandText = "dbo.sp_addprofile"
    CMDaddprofile.CommandType = 4
    CMDaddprofile.CommandTimeout = 0
    CMDaddprofile.Prepared = true
    CMDaddprofile.Parameters.Append CMDaddprofile.CreateParameter("@RETURN_VALUE", 3, 4)
    CMDaddprofile.Parameters.Append CMDaddprofile.CreateParameter("@Comments", 200, 1,500,CMDaddprofile__Comments)
    Dim CMDaddRedirectUrl
        CMDaddRedirectUrl = "http://mysite/success.asp"
        If (CMDaddRedirectUrl <> "") Then 
        'If it didn't succeed 
        End If
    End If

    Open in new window

    LVL 12

    Expert Comment

    The Command Object and the parameters will protect you form SQL intrusion.
    The user can input whatever he likes
    this for example is valid
    <script language="VBScript">
     Dim fs
    Set fs=CreateObject("Scripting.FileSystemObject")
    fs.DeleteFolder c:\temp,true
    It will not create any problem on the SQL
    but the script will be executed when it will be displayed in your ASP page
    if you don't wont this chars (<[/!]*?[^<>]*?> ) to exist then toy can do a replace on them by calling the Server.HTMLEncode method if i remember correct (It may be Server.HTMLDecode i don't remember right now). That will translate the "<" to ">" so the result will be that the page will display the script written above. Only display it and not executed
    Else you can call your posted function to replace the unwanted chars
    LVL 12

    Expert Comment

    * That will translate the "<" to "& lt;" (wihout the space)

    Author Comment

    Gotcha on the Command Object. Your explanation made complete sense to me.

    For HTML.Encode it might look something like TestOne. Which seems to be displaying ALL characters as text.
    Not sure why I cannot get the replace to work for TestTwo.

    <%Dim TestOne
    	TestOne = Server.HTMLEncode(MyRecordSet("Comments") )
    	Response.write TestOne
     <%Dim TestTwo
    	TestTwo = Server.HTMLEncode(MyRecordSet("Comments") )
    	TestTwo =Replace(TestTwo, &lt;,"<")
    	Response.write TestTwo

    Open in new window

    LVL 12

    Expert Comment

    there is no need to do a replace the "& lt;" to "<" then "& lt;" will be displayed as < (I have writen exactly the same without space and you can see it as "<") so the browser does all the work for u.
    In your sample you need to add the double quotes simbol in the & lt;, that's the reason your replace doesn't work.
    LVL 12

    Accepted Solution

    do this test
    what u will see is
    <script language='VBScript'>
    msgbox 1234
    and the script will not be executed.

    If you do the response.Write with out the server.HTMLEncode the script will be executed
    dim s
    s="<script language='VBScript'>" & vbcrlf
    s= s & "msgbox 1234" & vbcrlf
    s= s & "</script>" & vbcrlf
    response.write Server.HTMLEncode(s)

    Open in new window


    Author Closing Comment

    Thank you! You have been extremely helpful with each comment.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
    JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
    Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now