Aleks
asked on
jquery to restrict certain words from input in form
I have a website with a contact form and other forms that allow visitors to send information via email.
The problem is that someone is trying to submit commands that would cause harm to the server in which the website is hosted. I want to prevent this by not allowing users entering certain words. Below is a list of some words I want to restrict from being used in any of the form fields. How can I do this ?
PS> They include some characters like % please disregard, should read : save,dump,backup, etc. But you get the idea.
---
select|, drop|, alter|, restore|, truncate|, backup|, load|, dump|, save|, shutdown|, execute|, /%5C*|, %5C*/|, %5C-%5C-|, %5C%5B|, %5C%5D|, char(.*)%5C(|, nchar(.*)%5C(|, sp_|, restore%5Cs|, grant%5Cs|, revoke%5Cs|, dbcc|, use%5Cs|, set%5Cs|, truncate%5Cs|, backup%5Cs|, load%5Cs|, save%5Cs|, cast(.*)%5C(|, convert(.*)%5C(|, execute%5Cs|, updatetext|, writetext|, reconfigure|',document.for ms[0].txtu sername,0, false);WAV alidateRT( document.f orms[0].tx tpassword, document.f orms[0].tx tpassword. value,'- Invalid entry for password (Special characters such as quotes or apostrophe are not allowed)',';|, %27|, /*%20...%20*/|, xp_|, cast(%20|, char(%20|, insert%20|, update%20|, delete%20|, script|, javascript|, select|, drop|, alter|, restore|, truncate|, backup|, load|, dump|, save|, shutdown|, execute|, /%5C*|, %5C*/|, %5C-%5C-|, %5C%5B|, %5C%5D|, char(.*)%5C(|, nchar(.*)%5C(|, sp_|, restore%5Cs|, grant%5Cs|, revoke%5Cs|, dbcc|, use%5Cs|, set%5Cs|, truncate%5Cs|, backup%5Cs|, load%5Cs|, save%5Cs|, cast(.*)%5C(|, convert(.*)%5C(|, execute%5Cs|, updatetext|, writetext
--
The problem is that someone is trying to submit commands that would cause harm to the server in which the website is hosted. I want to prevent this by not allowing users entering certain words. Below is a list of some words I want to restrict from being used in any of the form fields. How can I do this ?
PS> They include some characters like % please disregard, should read : save,dump,backup, etc. But you get the idea.
---
select|, drop|, alter|, restore|, truncate|, backup|, load|, dump|, save|, shutdown|, execute|, /%5C*|, %5C*/|, %5C-%5C-|, %5C%5B|, %5C%5D|, char(.*)%5C(|, nchar(.*)%5C(|, sp_|, restore%5Cs|, grant%5Cs|, revoke%5Cs|, dbcc|, use%5Cs|, set%5Cs|, truncate%5Cs|, backup%5Cs|, load%5Cs|, save%5Cs|, cast(.*)%5C(|, convert(.*)%5C(|, execute%5Cs|, updatetext|, writetext|, reconfigure|',document.for
--
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best defense against injection attacks is to use parameterised queries rather than query strings. https://support.microsoft.com/en-us/kb/200190
This PAQ might also be useful
https://www.experts-exchange.com/questions/27778567/Sanitize-user-input-in-Classic-ASP.html
This PAQ might also be useful
https://www.experts-exchange.com/questions/27778567/Sanitize-user-input-in-Classic-ASP.html
ASKER
How does using parameters prevents an injection ? they can still type malicious code right ?
Wouldn't I need to apply a function to the inputted data to 'clean' it ? If so is there a generic function I could use ?
Wouldn't I need to apply a function to the inputted data to 'clean' it ? If so is there a generic function I could use ?
ASKER
btw, in this particular case is on a form that is not connected to any database, it is simply a form that submits data and sends an email using our server.
Ok, then what is the risk?
ASKER
Well, we found malware in the server last night, we were able to remove it. When looking at the logs we found someone connecting to the server via our website and I was wondering if this bot or person was using the contact forms and other forms that send emails to somehow be able to infect the server.
Only one form inserts data to our database but the database is clean so I am not sure that is what the person/bot was trying to do. If this is the case I could use a function to clean the data that is inserted, is there one I could use ?
Only one form inserts data to our database but the database is clean so I am not sure that is what the person/bot was trying to do. If this is the case I could use a function to clean the data that is inserted, is there one I could use ?
ASKER
I found this in our log: [SID: 28990] Web Attack: PHP Shell Upload 4 attack blocked. Traffic has been blocked for this application: SYSTEM
Which is strange since I don't even have PHP installed on this server.
Which is strange since I don't even have PHP installed on this server.
The log entry indicates the type of attack that was tried. The fact that you don't have PHP installed is not known to the attacker - they are just trying different know exploits.
The most likely point of penetration is
a) You have a file upload script that is not secure
b) Your password is not secure
c) There is potentially some unplugged OS vulnerability or other application running on your server
To install files on your server the hacker would need access to be able to upload files which means FTP / SSH access to the server.
Do the logs show such access?
If not then the most likely other cause is a badly written file upload script - are you using any of those?
The most likely point of penetration is
a) You have a file upload script that is not secure
b) Your password is not secure
c) There is potentially some unplugged OS vulnerability or other application running on your server
To install files on your server the hacker would need access to be able to upload files which means FTP / SSH access to the server.
Do the logs show such access?
If not then the most likely other cause is a badly written file upload script - are you using any of those?
ASKER
Not on the website I don't
No success registered. Still trying to find fire out how the file got in
No success registered. Still trying to find fire out how the file got in
What sort of file is it?
ASKER
I am using classic asp and sql database