WebApp Sec mailing list archives
Re: Web Forms filtered with SQL constraints
From: Steven Boone <sboone () pyrontechnologies com>
Date: Wed, 06 Oct 2004 10:36:58 -0600
In answer to your first question, there is really no way to hide the javascript filtering from clients as it is all handled on the client side. No matter what you do to try and hide the code from the user, there are ways to get it, as the methods that you mentioned for hiding the code are browser dependent. All a person would have to do is download the page via wget or some other method and save it locally to their hard drive, and they have full access to your Jscript code, no matter what methods you use to hide it. What I would do in this event is perform the same kind of checks in your asp code on the page that the form posts to. The asp code is never visible to the client, so adding these checks on the server side is a lot more secure. It sounds to me as if you are using regular expressions to check the validity of the data entered via Jscript. You should do the same in your asp pages to make sure the data is valid before it even goes to your database. I am not all that familiar with ASP, but I know that you can place some error handling in your code that will prevent errors from being displayed to the screen. What I do is if I detect an error in an SQL query, I redirect to an error page and display a friendly message to the user, and email the error to my email account. You could also just have the error log to a file on your server. This way, they never see the actual database message, but you still have access to it for debugging purposes, etc. You should also disable error messages in IIS (if you have access to the IIS server) so that if an error occurs, the user will only see the default "500 Server Error" message. Steve On Tue, 2004-10-05 at 13:25 +0100, Bénoni MARTIN wrote:
Hi list ! I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance a name can just be alphabet's characters and no figures :) ), and I am planning to do the same on my Database (setting up constraints). But I have 2 questions: - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, quite normal :( ... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where it is impossible to see the source, impossible to "hoover the site", impossible even to print ... But I have not been able to find on the net how to do this :( - How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my Jscript filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise this error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ? Cheers for any clue, I am lost on this topic :(
Current thread:
- Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 05)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 07)
- Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- <Possible follow-ups>
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
(Thread continues...)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)