WebApp Sec mailing list archives
Re: Web Forms filtered with SQL constraints
From: "Tom Stowell" <jts () deforest k12 wi us>
Date: Wed, 06 Oct 2004 11:56:47 -0500
A fundamental problem with your approach is that the point of filtering client-side input is that you cannot trust the client. You can't trust the user, and you can't trust the software she is running. Who is to say that whatever client-side tricks you use to ostensibly hide the page source from the user can't be bypassed by the user? It may be as simple as disabling javascript or using a different user-agent, or in the worst case simply grabbing the source to a browser and hacking away at it. (Mozilla/Firefox come to mind.) While client-side input validation may have its uses, those uses do NOT include filtering for security exploits. Always assume that the user/user-agent may submit anything he/she/it wishes to your server-side applications. Your server-side should never trust anything from the client without validating it first. EVER. There are custom proxies that make it simple to submit arbitrary data into input fields. They're simple to use, and free. See http://www.onlamp.com/pub/a/php/2004/01/22/php_proxy.html for a great article on the subject. Regards, Tom Stowell Network Administrator DeForest Area School District 520 E. Holum St. DeForest, WI 53532 Fax: (608)-842-6545 Voice: (608)-842-6500 Email: <jts () deforest k12 wi us> console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or obituaries for the operator. -- Stan Kelly-Bootle, The Computer Contradictionary.
Bénoni MARTIN <Benoni.MARTIN () libertis ga> 10/05/04 07:25AM >>>
Hi list ! I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance a name can just be alphabet's characters and no figures :) ), and I am planning to do the same on my Database (setting up constraints). But I have 2 questions: - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, quite normal :( ... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where it is impossible to see the source, impossible to "hoover the site", impossible even to print ... But I have not been able to find on the net how to do this :( - How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my Jscript filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise this error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ? Cheers for any clue, I am lost on this topic :(
Current thread:
- Re: Web Forms filtered with SQL constraints, (continued)
- Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
- Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 14)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 16)
- Re: Web Forms filtered with SQL constraints saphyr (Oct 15)