RE: Web Forms filtered with SQL constraints

["Dr Death" <drdeath4ever () hotmail com>]

i have some scripts that hid your page source.

Dr.Death

> From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
> To: "RSnake" <rsnake () shocking com>, <webappsec () securityfocus com>
> Subject: RE: Web Forms filtered with SQL constraints
> Date: Fri, 8 Oct 2004 17:09:21 +0100
>
> Hi !
>
> Thanks for the reply, it's as I was thinking about ! I went on the web to 
> get some more infos about that, and I found this article:
> http://www.developerfusion.com/show/4325/
>
> So some tell this is a good idea, others say it's not, so I am lost :( :)
>
>
> -----Message d'origine-----
> De : RSnake [mailto:rsnake () shocking com]
> Envoyé : vendredi 8 octobre 2004 01:42
> À : webappsec () securityfocus com
> Cc : Bénoni MARTIN
> Objet : Re: Web Forms filtered with SQL constraints
>
>
>         Nothing you do at the client side can be hidden.  I can write a
>         client that downloads the source, or watch it via a proxy, or
>         look at the cache, etc....  don't even bother trying.  You
>         should consider anything client side as protection from
>         inadvertant mistakes by users only, and you should always have a
>         fall back filter in place to catch the errors before they do any
>         damage.
>
> On Wed, 6 Oct 2004, Ian wrote:
>
> | Date: Wed, 06 Oct 2004 09:52:03 +0100
> | From: Ian <webappsec2 () fishnet co uk>
> | Reply-To: webappsec () securityfocus com
> | To: "[ISO-8859-1] Bénoni MARTIN" <Benoni.MARTIN () libertis ga>,
> |     webappsec () securityfocus com
> | Subject: Re: Web Forms filtered with SQL constraints
> |
> | On 5 Oct 2004 at 13:25, Bénoni MARTIN wrote:
> |
> | > Hi list !
> | >
> | > I was wondering how to solve the 2 following problems: I have ASP
> | > (not
> | > ASP.NET) formulaires people have to fill in. To avoid SQ injection
> | > attacks and other tricks, I have set up some Jscript filtering on each 
> field (i.e.
> | > for instance a name can just be alphabet's characters and no figures
> | > :) ), and I am planning to do the same on my Database (setting up 
> constraints).
> | >
> | >
> | > But I have 2 questions:  - How can I hide my Jscript filtering from the
> | > user ? When I want to see the source, everything is diaplayed, quite
> | > normal :( ... Maybe it's not so good to tell people what I have done
> | > to filter them :) I saw some sites where it is impossible to see the
> | > source, impossible to "hoover the site", impossible even to print
> | > ... But I have not been able to find on the net how to do this :(
> | >
> | >  - How can I deal with possible SQL errors within an ASP page ? I
> | > mean, if a field has been filled in, bypass my Jscript filtering (no
> | > matter how), and gets to the database but is then "stopped" by an
> | > SQL onstraint, how do I raise this error on an ASP page without
> | > diplaying an explicit error (giving the user the name of my database 
> for instance) ?
> | >
> | > Cheers for any clue, I am lost on this topic :(
> |
> | Hi,
> |
> | Using classic ASP with vbscript you would add this to the top of the 
> page:
> |
> | <% on error resume next %>
> |
> | Then after every SQL query:
> |
> | <%
> | if err then
> |       Response.write "There was a database error"
> |       ' Log to error to file
> | end if
> | %>
> |
> | I think the equivalent in JScript is the Try, Catch, Finally:
> |
> | http://msdn.microsoft.com/library/default.asp?url=/library/en-
> | us/script56/html/js56jslrfjscripterrorstoc.asp
> |
> | Hope this helps
> |
> | Ian
> | --
> |
> |
> |
> |
> |
>
> -R
>
> The information in this email is confidential and may be legally 
> privileged.  It is intended solely for the addressee.  Access to this email 
> by anyone else is unauthorized.  If you are not the intended recipient, any 
> disclosure, copying, distribution or any action taken or omitted to be 
> taken in reliance on it is expressly prohibited and may be unlawful.