We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

View Complete Thread
  • Re: Anyone know about www.nihaorr1.com/1.js?

    May 20, 2008 01:03 AM|wistex42|LINK

    In my situation, most of the input should not have a ' or a ; in it at all, so I just filter that out completely when those characters are not expected.  I place an include with the following code at the top of almost every page.

    <%
    str = request.servervariables("QUERY_STRING")
    if instr(str, ";") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, ";") then response.redirect("/404msg.asp")

    str = request.servervariables("QUERY_STRING")
    if instr(str, "--") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, "--") then response.redirect("/404msg.asp")

    str = request.servervariables("QUERY_STRING")
    if instr(str, "'") then response.redirect("/404msg.asp")
    str = Request.Form
    if instr(str, "'") then response.redirect("/404msg.asp")
    %>

    This won't work for everyone, but if you know for sure that a ' or ; or a -- should not be in the input, just kill it before it goes anywhere. 

    This code checks both GET and POST (i.e. parameters in the URL or submitted from a form) and can be used as a preemptive filter before it even gets to the rest of the code.

    Obviously this is not the only thing you should do, but it may be a quick way to kill certain attacks.  Combine this with proper sanitizing of variables, and it makes your site more difficult to attack.
     

    lillyg

    Would it work to use the CInt function to test the ID that's passed to confirm that it is an integer between -32767 and 32767?  It seems like that would force an error given the length and alpha characters that are in the script.

     

    That should definitely be used for checking integers.  But depending on the application, not all parameters may be integers.


     

    sql injection injection filter code asp cint integers