Re: Web Forms filtered with SQL constraints

["Tom Stowell" <jts () deforest k12 wi us>]

A fundamental problem with your approach is that the point
of filtering client-side input is that you cannot trust the client.

You can't trust the user, and you can't trust the software
she is running. Who is to say that whatever client-side
tricks you use to ostensibly hide the page source from
the user can't be bypassed by the user? It may be as simple
as disabling javascript or using a different user-agent, or
in the worst case simply grabbing the source to a browser
and hacking away at it. (Mozilla/Firefox come to mind.)

While client-side input validation may have its uses, those
uses do NOT include filtering for security exploits. Always
assume that the user/user-agent may submit anything he/she/it
wishes to your server-side applications. Your server-side
should never trust anything from the client without validating
it first. EVER.

There are custom proxies that make it simple to submit arbitrary
data into input fields. They're simple to use, and free.

See http://www.onlamp.com/pub/a/php/2004/01/22/php_proxy.html

for a great article on the subject.

Regards,





Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts () deforest k12 wi us>


console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or 
obituaries for the operator.
            -- Stan Kelly-Bootle, The Computer Contradictionary.


> > > Bénoni MARTIN <Benoni.MARTIN () libertis ga> 10/05/04 07:25AM >>>
Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. To 
avoid SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance a 
name can just be alphabet's characters and no figures :) ), and I am planning to do the same on my Database (setting up 
constraints).


But I have 2 questions:
        - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, 
quite normal :( ... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where it 
is impossible to see the source, impossible to "hoover the site", impossible even to print ... But I have not been able 
to find on the net how to do this :(

        - How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my 
Jscript filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise 
this error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ?

Cheers for any clue, I am lost on this topic :(