Re: Web Forms filtered with SQL constraints

[Steven Boone <sboone () pyrontechnologies com>]

In answer to your first question, there is really no way to hide the
javascript filtering from clients as it is all handled on the client
side. No matter what you do to try and hide the code from the user,
there are ways to get it, as the methods that you mentioned for hiding
the code are browser dependent.  All a person would have to do is
download the page via wget or some other method and save it locally to
their hard drive, and they have full access to your Jscript code, no
matter what methods you use to hide it.  What I would do in this event
is perform the same kind of checks in your asp code on the page that the
form posts to.  The asp code is never visible to the client, so adding
these checks on the server side is a lot more secure.  It sounds to me
as if you are using regular expressions to check the validity of the
data entered via Jscript.  You should do the same in your asp pages to
make sure the data is valid before it even goes to your database.

I am not all that familiar with ASP, but I know that you can place some
error handling in your code that will prevent errors from being
displayed to the screen.  What I do is if I detect an error in an SQL
query, I redirect to an error page and display a friendly message to the
user, and email the error to my email account.  You could also just have
the error log to a file on your server.  This way, they never see the
actual database message, but you still have access to it for debugging
purposes, etc.  You should also disable error messages in IIS (if you
have access to the IIS server) so that if an error occurs, the user will
only see the default "500 Server Error" message.

Steve

On Tue, 2004-10-05 at 13:25 +0100, Bénoni MARTIN wrote:
> Hi list !
>
> I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. 
> To avoid SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance 
> a name can just be alphabet's characters and no figures :) ), and I am planning to do the same on my Database 
> (setting up constraints).
>
>
> But I have 2 questions:
>       - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, 
> quite normal :( ... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where 
> it is impossible to see the source, impossible to "hoover the site", impossible even to print ... But I have not been 
> able to find on the net how to do this :(
>
>       - How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my 
> Jscript filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise 
> this error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ?
>
> Cheers for any clue, I am lost on this topic :(