WebApp Sec mailing list archives
Re: Web Forms filtered with SQL constraints
From: "Matt Fisher" <mattfisher () comcast net>
Date: Thu, 7 Oct 2004 23:51:14 -0400
Perform good strong validation on the *server*, as everyone else has said , but also use parameterized queries. I believe "plain old" ADO (vs ado.net) supports them, though most of the time they're mentioned as a "new" (?) feature of ado.net. You'll get a performance increase as well. ----------------------------------------- Rage-Quote:heads%20bobbin'%20to%20the%20funk%20outya speaker ----- Original Message ----- From: "Bénoni MARTIN" <Benoni.MARTIN () libertis ga> To: <webappsec () securityfocus com> Sent: Tuesday, October 05, 2004 8:25 AM Subject: Web Forms filtered with SQL constraints Hi list ! I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks and other tricks, I have set up some Jscript filtering on each field (i.e. for instance a name can just be alphabet's characters and no figures :) ), and I am planning to do the same on my Database (setting up constraints). But I have 2 questions: - How can I hide my Jscript filtering from the user ? When I want to see the source, everything is diaplayed, quite normal :( ... Maybe it's not so good to tell people what I have done to filter them :) I saw some sites where it is impossible to see the source, impossible to "hoover the site", impossible even to print ... But I have not been able to find on the net how to do this :( - How can I deal with possible SQL errors within an ASP page ? I mean, if a field has been filled in, bypass my Jscript filtering (no matter how), and gets to the database but is then "stopped" by an SQL onstraint, how do I raise this error on an ASP page without diplaying an explicit error (giving the user the name of my database for instance) ? Cheers for any clue, I am lost on this topic :(
Current thread:
- Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 05)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)
- Re: Web Forms filtered with SQL constraints RSnake (Oct 07)
- Re: Web Forms filtered with SQL constraints Saphyr (Oct 09)
- Re: Web Forms filtered with SQL constraints tie (Oct 07)
- Re: Web Forms filtered with SQL constraints Steven Boone (Oct 07)
- RE: Web Forms filtered with SQL constraints V. Poddubnyy (Oct 08)
- RE: Web Forms filtered with SQL constraints focus (Oct 09)
- Re: Web Forms filtered with SQL constraints Matt Fisher (Oct 09)
- Re: Web Forms filtered with SQL constraints yahoouec (Oct 12)
- <Possible follow-ups>
- RE: Web Forms filtered with SQL constraints Mike Allison (Oct 05)
- Netware ichain Taki Waki (Oct 06)
- RE: Netware ichain Eyal Udassin (Oct 07)
- Netware ichain Taki Waki (Oct 06)
- Re: Web Forms filtered with SQL constraints Tom Stowell (Oct 07)
- RE: Web Forms filtered with SQL constraints Bénoni MARTIN (Oct 09)
- RE: Web Forms filtered with SQL constraints RSnake (Oct 12)
- RE: Web Forms filtered with SQL constraints Dr Death (Oct 12)
- Re: Web Forms filtered with SQL constraints Emil Filipov (Oct 14)
- RE: Web Forms filtered with SQL constraints Michael Silk (Oct 12)
(Thread continues...)
- Re: Web Forms filtered with SQL constraints Ian (Oct 07)