Best way to prevent unauthorized form submission

I have what I feel is an antiquated process in place for this (using classic asp).  Just wondering if there is a "gold standard" or an approach that is simpler than mine to prevent sql injection and other malicious hacks.

Thanks!
Bob SchneiderCo-OwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jim HornMicrosoft SQL Server Developer, Architect, and AuthorCommented:
<No points please> In addition to asking questions, since this seems pretty open-ended..

In EE's top nav if you go to the dropdown and select 'Search Articles', type SQL Injection and hit return, you'll find a couple of articles on the topic.

After reading, if you like what you see click on the green 'Was this article useful?' button at the bottom, and you can always leave the author comments.
0
dsackerContract ERP Admin/ConsultantCommented:
I use ASP all the time. Love it. Most of my usage is within an intranet of a corporation, so there is that security as well.

I will assume you use IIS. If so, these are a few of my "101" steps that I take:

Authentication - I disable Anonymous Authentication, and enable Windows Authentication (if not already enabled). This forces the usage of the user's login.
I keep impacting data in Session variables (i.e., on the Server). Hijacking those would be quite a feat.
While I like and use Javascript, I do not make any form input variables solely dependent upon Javascript changes. That invites injection.
I do not make my website pages solely dependent upon parameters (i.e., http://website?parm=this&parm2=that). I will use them in transition, but definitely not with any link to the value or destination of fields and changes.
I have not mentioned Authorization Rules and folder security, but those are worth considering. As said above in another post, there are good articles here and elsewhere on best practices, but this is a start.
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
the best way, in my experience, to avoid sql injection is to sanitize the incoming data and use parameterized queries. I have a simple function in my master library I include on all of my pages, and essentially ensures any value and data type I pass into it IS what it says it is, if not, the defaultValue parameter comes back as the data I use. I use this function whenever I process data coming from the user:

function cleanData( val, varType, defaultValue )
    if Len( val ) = 0 or val = "" then
        val = defaultValue
    else
        select case varType
            case "int":
                if not isNumeric( val ) then 
                    val = defaultValue
                else
                    val = CInt( val )
                end if
            case "string":
                if Len( val ) > 0 then
                    val = CStr( val )
                else
                    val = defaultValue
                end if
            case "bit":
                if val <> "1" or val <> "0" then val = defaultValue
        end select
    end if

    cleanData = val
    
end function

Open in new window


I parsed it down to 3 data types so you would get the sense of what it does, you can add in as many as you want. my motto is "don't trust anything the user enters". javascript validation is always a good start, but always do a check on the server side as well to avoid issues
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Bob SchneiderCo-OwnerAuthor Commented:
Thanks!
0
Bob SchneiderCo-OwnerAuthor Commented:
Big Monty: how do you call that function?
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
if you were validating a string entry, you would do something like:

myString = cleanData( Request("stringField"), "string", "myDefaultStringValue" )

the third parameter can contain a value or be blank, essentially, if you have a fail safe a value should be if it doesn't validate, then put it there. same thing with a integer validation:

myInt = cleanData( Request("intField"), "int", -1 )
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I think it would help to know what you mean by unauthorized?  Do you require people to login?  http://www.experts-exchange.com/articles/18259/User-Log-In-Using-A-Token.html, preventing malicious data or preventing garbage data?

For numbers and dates you can of course check to make sure if you are expecting a date or number that is the case.  I think that is the function above.

For text fields, you can convert special characters such as single and double quotes to an entity.

You can use javascript for a quick form verification which makes it easier on your users and server but as dsacker points out, you ultimately want to do this server side.

Also using a captcha method will help.   In some cases I will also add a session variable that counts how many times somebody tries to submit the form and if it is too many, lock them out.

<%
show_form = 1 'ok to show
if request.form<>"" then
   if session("form_count")<>"" then
       session("form_count")=cint(session("form_count"))+1
       else
      session("form_count")=1
  end if

If session("form_count")> 5 then ' 5 tries
     show_form = 0
end if

if show_form=1 then
%>
<form>


</from>
<%
' form will not show if they try too many times.  If it is a real person, they will contact you.
end if
%>

Open in new window


Small sites are not a high target, but still vulnerable.  I do find every once in a while somebody tries to submit garbage over and over for a short period of time and something small like above does the trick.  It is by no means 100% as sessions can be reset or they can use multiple browsers.   Between a captcha and hiding the form after too many try's has worked.
0
Bob SchneiderCo-OwnerAuthor Commented:
Great discusssion.  Thanks to all!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.