Re: Web Forms filtered with SQL constraints

["Matt Fisher" <mattfisher () comcast net>]

Perform good strong validation on the *server*, as everyone else has said ,
but also use parameterized queries.  I believe "plain old" ADO (vs ado.net)
supports them, though most of the time they're mentioned as  a "new" (?)
feature of ado.net.  You'll get a performance increase as well.



-----------------------------------------
Rage-Quote:heads%20bobbin'%20to%20the%20funk%20outya speaker


----- Original Message ----- 
From: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga>
To: <webappsec () securityfocus com>
Sent: Tuesday, October 05, 2004 8:25 AM
Subject: Web Forms filtered with SQL constraints


Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not
ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks
and other tricks, I have set up some Jscript filtering on each field (i.e.
for instance a name can just be alphabet's characters and no figures :) ),
and I am planning to do the same on my Database (setting up constraints).


But I have 2 questions:
- How can I hide my Jscript filtering from the user ? When I want to see the
source, everything is diaplayed, quite normal :( ... Maybe it's not so good
to tell people what I have done to filter them :) I saw some sites where it
is impossible to see the source, impossible to "hoover the site", impossible
even to print ... But I have not been able to find on the net how to do this
:(

- How can I deal with possible SQL errors within an ASP page ? I mean, if a
field has been filled in, bypass my Jscript filtering (no matter how), and
gets to the database but is then "stopped" by an SQL onstraint, how do I
raise this error on an ASP page without diplaying an explicit error (giving
the user the name of my database for instance) ?

Cheers for any clue, I am lost on this topic :(