We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 15, 2008 06:12 AM|drors01|LINK


    I  added the url filter to my site just in case...

    But then I started getting too many false alarms due to google's search.
    I is doing many sorts of phrases that include many of the words that are notallowed.

    So I made a change to the verify function

    function verify(s)
     'convert the querystring to lowercase
     s = lcase(s)
     risk_level_counter = 0

     ' badwords - a list of disallowed keywords in the url
     badwords= "select 1=1 insert update delete drop -- table alter cast declare convert exec chr( union"

     ' create an array list of each back word
     r = split(badwords, " ")
     ' loop through the bad words and return false if it is present.
       for i =0 to ubound(r)
        if instr(s, r(i)) > 0 then
      risk_level_counter = risk_level_counter + 1
        end if

      if risk_level_counter >= 2 then
      verify = false
      end if

    end function

    I think that I am going to give a uniqe level of risk to each word, for instance giving 3 for DECLARE, UPDATE , DROP and a level of 1 to select.

    I would also combine the checks with the length of the string not allowing more than 150 characters for a known need.