WebApp Sec mailing list archives
RE: SQL Injection Basics
From: Jason Benson <jbensonfm () yahoo com>
Date: Wed, 12 Feb 2003 08:32:02 -0800 (PST)
Here's a simple vbscript include I wrote to filter out offending characters out of queries and form posts. It's very 'basic and dirty' and probably doesn't take in to account many different aspects of this type of vuln. I am not a security pro, so please do not use/adapt this script to filter your queries unless you understand the basic vulnerability far better than I. Let me know if you can think of any additions or exclusions I might want to make to this. BTW this does _not_ take in to account that a regular user might enter an offending character (as in the case of O'Toole or on a code post) as this is not intended for that audience. I already convert / validate those posts well before they reach the database. However it would be a simple addition to convert those characters into their HTML form if needed. Many thanks in advance! <%@LANGUAGE="VBSCRIPT" %> <% 'contant chars that will be replaced 'with a single space Const fmCHARS = "'%/\<>()" %> <% ' Validate QueryStrings ' Append all Form Strings to the QueryStrings fmQList = Request.QueryString & "&" & Request.Form 'Split into Seperate Strings fmQList = Split(fmQList, "&") ' Get total number of strings fmQListCount = (UBound(fmQList) - LBound(fmQList)) 'process each string & replace all fmCHARS If fmQListCount >= 1 Then For i = 0 to fmQListCount For x = 1 To Len(fmCHARS) fmRepChar = MID(fmCHARS, x, 1) fmstrReplaceTXT = Replace(fmQList(i), fmRepCHAR, " ") If fmstrReplaceTXT <> fmQList(i) Then fmAlertVar = 1 fmQList(i) = fmstrReplaceTXT Next Next End If 'uncomment the following to show AlertVar 'Text or to perform action If fmAlertVar = 1 Then 'Write Alert Response.Write "<BR> <B> Script Alert Variable Set! </B><BR>" 'Redirect to page: 'Response.Redirect ("page.asp") End If %> -----Original Message----- From: Mark Mcdonald [mailto:m.mcdonald () cgl com au] Sent: Tuesday, February 11, 2003 10:26 PM To: 'webappsec () securityfocus com' Subject: RE: SQL Injection Basics Jim, You're right, if the user doesn't enter an integer CInt will just bail throwing a "Type Mismatch". VBScript isn't as OO as what you've said below, and you would also want the CInt() calls .last. if you were santizing, as otherwise you'll get the same problem as above, non-integer values will fail before the sanitizing function was even called. Another VBScript function relevant is isNumeric for numeric values. Still, I prefer PHP dev. with the better inbuilt functions there :) You actually answered an un-asked question in head below too, on using bind variables in MySQL, since it's not possible natively, has anyone done their own implementation? IIRC, MySQL4+ actually has bind variable support, but I'm not a big fan of using development servers in production. $sth = $dbh->prepare("INSERT INTO contacts (name,email) VALUES (?,?)"); $sth->execute($name,$email); Might be time to install mod_perl :) Has anyone made a sanitising function for VBScript they would like to share? Thanks, Mark. __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Kevin Spett (Feb 11)
- RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- Re: SQL Injection Basics Mark Curphey (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 12)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 13)
- Re: SQL Injection Basics Bart McKinnley (Feb 14)