Link to home
Start Free TrialLog in
Avatar of Aleks
AleksFlag for United States of America

asked on

jquery to restrict certain words from input in form

I have a website with a contact form and other forms that allow visitors to send information via email.
The problem is that someone is trying to submit commands that would cause harm to the server in which the website is hosted. I want to prevent this by not allowing users entering certain words. Below is a list of some words I want to restrict from being used in any of the form fields.  How can I do this ?
PS> They include some characters  like % please disregard, should read :  save,dump,backup, etc.  But you get the idea.
---

select|, drop|, alter|, restore|, truncate|, backup|, load|, dump|, save|, shutdown|, execute|, /%5C*|, %5C*/|, %5C-%5C-|, %5C%5B|, %5C%5D|, char(.*)%5C(|, nchar(.*)%5C(|, sp_|, restore%5Cs|, grant%5Cs|, revoke%5Cs|, dbcc|, use%5Cs|, set%5Cs|, truncate%5Cs|, backup%5Cs|, load%5Cs|, save%5Cs|, cast(.*)%5C(|, convert(.*)%5C(|, execute%5Cs|, updatetext|, writetext|, reconfigure|',document.forms[0].txtusername,0,false);WAValidateRT(document.forms[0].txtpassword,document.forms[0].txtpassword.value,'- Invalid entry for password (Special characters such as quotes or apostrophe are not allowed)',';|, %27|, /*%20...%20*/|, xp_|, cast(%20|, char(%20|, insert%20|, update%20|, delete%20|, script|, javascript|, select|, drop|, alter|, restore|, truncate|, backup|, load|, dump|, save|, shutdown|, execute|, /%5C*|, %5C*/|, %5C-%5C-|, %5C%5B|, %5C%5D|, char(.*)%5C(|, nchar(.*)%5C(|, sp_|, restore%5Cs|, grant%5Cs|, revoke%5Cs|, dbcc|, use%5Cs|, set%5Cs|, truncate%5Cs|, backup%5Cs|, load%5Cs|, save%5Cs|, cast(.*)%5C(|, convert(.*)%5C(|, execute%5Cs|, updatetext|, writetext

--
ASKER CERTIFIED SOLUTION
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Aleks

ASKER

Julian. Good points. Do you have a reference on how to sanitize user input?

I am using classic asp and sql database
The best defense against injection attacks is to use parameterised queries rather than query strings. https://support.microsoft.com/en-us/kb/200190

This PAQ might also be useful

https://www.experts-exchange.com/questions/27778567/Sanitize-user-input-in-Classic-ASP.html
Avatar of Aleks

ASKER

How does using parameters prevents an injection ?  they can still type malicious code right ?
Wouldn't I need to apply a function to the inputted data to 'clean' it ?  If so is there a generic function I could use ?
Avatar of Aleks

ASKER

btw, in this particular case is on a form that is not connected to any database, it is simply a form that submits data and sends an email using our server.
Ok, then what is the risk?
Avatar of Aleks

ASKER

Well, we found malware in the server last night, we were able to remove it. When looking at the logs we found someone connecting to the server via our website and I was wondering if this bot or person was using the contact forms and other forms that send emails to somehow be able to infect the server.
Only one form inserts data to our database but the database is clean so I am not sure that is what the person/bot was trying to do. If this is the case I could use a function to clean the data that is inserted, is there one I could use ?
Avatar of Aleks

ASKER

I found this in our log:  [SID: 28990] Web Attack: PHP Shell Upload 4 attack blocked. Traffic has been blocked for this application: SYSTEM

Which is strange since I don't even have PHP installed on this server.
The log entry indicates the type of attack that was tried. The fact that you don't have PHP installed is not known to the attacker - they are just trying different know exploits.

The most likely point of penetration is

a) You have a file upload script that is not secure
b) Your password is not secure
c) There is potentially some unplugged OS vulnerability or other application running on your server

To install files on your server the hacker would need access to be able to upload files which means FTP / SSH access to the server.
Do the logs show such access?

If not then the most likely other cause is a badly written file upload script - are you using any of those?
Avatar of Aleks

ASKER

Not on the website I don't
No success registered. Still trying to find fire out how the file got in
What sort of file is it?