RE: SQL Injection Basics

[Jason Benson <jbensonfm () yahoo com>]

Here's a simple vbscript include I wrote to filter out
offending characters out of queries and form posts. 
It's very 'basic and dirty' and probably doesn't take
in to account many different aspects of this type of
vuln.  I am not a security pro, so please do not
use/adapt this script to filter your queries unless
you understand the basic vulnerability far better than
I.

Let me know if you can think of any additions or
exclusions I might want to make to this.

BTW this does _not_ take in to account that a regular
user might enter an offending character (as in the
case of O'Toole or on a code post) as this is not
intended for that audience. I already convert /
validate those posts well before they reach the
database.  However it would be a simple addition to
convert those characters into their HTML form if
needed.

Many thanks in advance!

<%@LANGUAGE="VBSCRIPT" %>
<% 
'contant chars that will be replaced 
'with a single space
Const fmCHARS = "'%/\<>()" %>
<%
' Validate QueryStrings
' Append all Form Strings to the QueryStrings
fmQList = Request.QueryString & "&" & Request.Form

'Split into Seperate Strings
fmQList = Split(fmQList, "&")

' Get total number of strings
fmQListCount = (UBound(fmQList) - LBound(fmQList)) 

'process each string & replace all fmCHARS
If fmQListCount >= 1 Then
 For i = 0 to fmQListCount
  For x = 1 To Len(fmCHARS)
  fmRepChar = MID(fmCHARS, x, 1)
  fmstrReplaceTXT = Replace(fmQList(i), fmRepCHAR, "
")
  If fmstrReplaceTXT <> fmQList(i) Then fmAlertVar = 1
  fmQList(i) = fmstrReplaceTXT
 Next
Next
End If

'uncomment the following to show AlertVar 
'Text or to perform action
If fmAlertVar = 1 Then
'Write Alert
Response.Write "<BR> <B> Script Alert Variable Set!
</B><BR>"
'Redirect to page:
'Response.Redirect ("page.asp")
End If 
%>

-----Original Message-----
From: Mark Mcdonald [mailto:m.mcdonald () cgl com au] 
Sent: Tuesday, February 11, 2003 10:26 PM
To: 'webappsec () securityfocus com'
Subject: RE: SQL Injection Basics

Jim,

You're right, if the user doesn't enter an integer
CInt will just bail
throwing a "Type Mismatch".

VBScript isn't as OO as what you've said below, and
you would also want the
CInt() calls .last. if you were santizing, as
otherwise you'll get the same
problem as above, non-integer values will fail before
the sanitizing
function was even called.

Another VBScript function relevant is isNumeric for
numeric values.  Still,
I prefer PHP dev. with the better inbuilt functions
there :)

You actually answered an un-asked question in head
below too, on using bind
variables in MySQL, since it's not possible natively,
has anyone done their
own implementation?  IIRC, MySQL4+ actually has bind
variable support, but
I'm not a big fan of using development servers in
production.

        $sth = $dbh->prepare("INSERT INTO contacts
(name,email) VALUES
(?,?)");
        $sth->execute($name,$email);

Might be time to install mod_perl :)

Has anyone made a sanitising function for VBScript
they would like to share?

Thanks,
Mark.


__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com