Another Sql Injection

Discussion in 'ASP .Net Security' started by Joe Kaplan \(MVP - ADSI\), Aug 9, 2005.

  1. What on earth does your regular expression for an email address look like
    that it matched that string?!

    Note that this still should not be a problem to store this value in the
    database as long as it is never concatenated in a SQL string and is only
    used with a parameterized query, but it certainly won't be very useful for
    contacting anyone either.

    Joe K.

    "JR" <> wrote in message
    news:u%...
    > Hi guyz,
    >
    > I have a form which is to record the user id, password and email.
    > I filter the email using requiredfield validator and regularexpression
    > validator.
    > Everything works great till I found somebody can put this data in the
    > database, like this :
    >
    > having 1=1--
    >
    > for the email field.
    > Can anybody tell me how is the way can I put it there, because whever I
    > tried it, I could not find it.
    >
    > Thanks
    >
    > JR
    >
    >
    Joe Kaplan \(MVP - ADSI\), Aug 9, 2005
    #1
    1. Advertising

  2. Joe Kaplan \(MVP - ADSI\)

    JR Guest

    Hi guyz,

    I have a form which is to record the user id, password and email.
    I filter the email using requiredfield validator and regularexpression
    validator.
    Everything works great till I found somebody can put this data in the
    database, like this :

    having 1=1--

    for the email field.
    Can anybody tell me how is the way can I put it there, because whever I
    tried it, I could not find it.

    Thanks

    JR
    JR, Aug 9, 2005
    #2
    1. Advertising

  3. Joe Kaplan \(MVP - ADSI\)

    Cactus Corp. Guest

    I am asking myself how using a 'HAVING' clause could make
    your request work. Are you using GROUP BY requests when
    someone tries to register ?

    Second question, what is your regular expression ? Did you
    add the beginning and end of string signs ?

    ^.....$

    antonio
    Cactus Corp., Aug 9, 2005
    #3
  4. Joe Kaplan \(MVP - ADSI\)

    Cactus Corp. Guest

    > Actually I dont really care about the "having .." words can make something
    > wrong there.
    > But the point is, I just wonder how can they still put that words in my
    > database.


    Okay, I just missunderstood it ; ) HAVING was really entered into the
    user table ;)

    Well... same question : show us your regular expression. Either it's wrong,
    either you missed some logic into your validation process. The first one's
    faster to examine.


    antonio
    Cactus Corp., Aug 9, 2005
    #4
  5. Joe Kaplan \(MVP - ADSI\)

    JR Guest

    Antonio,

    Actually I dont really care about the "having .." words can make something
    wrong there.
    But the point is, I just wonder how can they still put that words in my
    database.
    I dont use group by. I'm using sql add.parameter.

    I tried it myself too, but it seems everything OK.
    But that user can do it, so It must be someway we can put that having 1=1--
    in the datase.
    Or something wrong with the regularexpression validator or my code.

    any idea >

    "Cactus Corp." <> wrote in message
    news:#...
    > I am asking myself how using a 'HAVING' clause could make
    > your request work. Are you using GROUP BY requests when
    > someone tries to register ?
    >
    > Second question, what is your regular expression ? Did you
    > add the beginning and end of string signs ?
    >
    > ^.....$
    >
    > antonio
    >
    >
    JR, Aug 10, 2005
    #5
  6. Joe Kaplan \(MVP - ADSI\)

    JR Guest

    Here are my code:
    <asp:textbox id="txtEmail" runat="server" Width="200" MaxLength="30"/>
    <asp:RequiredFieldValidator id="valRequired2" runat="server"
    ControlToValidate="txtEmail"
    ErrorMessage="Required field"
    Display="dynamic" />

    <asp:RegularExpressionValidator id="valEmail" runat="server"
    ControlToValidate="txtEmail"
    ValidationExpression=".*@.*\..*"
    ErrorMessage="Error !"
    display="dynamic"/>

    thanks bud

    > > Actually I dont really care about the "having .." words can make

    something
    > > wrong there.
    > > But the point is, I just wonder how can they still put that words in my
    > > database.

    >
    > Okay, I just missunderstood it ; ) HAVING was really entered into the
    > user table ;)
    >
    > Well... same question : show us your regular expression. Either it's

    wrong,
    > either you missed some logic into your validation process. The first one's
    > faster to examine.
    >
    >
    > antonio
    >
    >
    JR, Aug 10, 2005
    #6
  7. Joe Kaplan \(MVP - ADSI\)

    Cactus Corp. Guest


    > <asp:RegularExpressionValidator id="valEmail" runat="server"
    > ControlToValidate="txtEmail"
    > ValidationExpression=".*@.*\..*"
    > ErrorMessage="Error !"
    > display="dynamic"/>
    >


    You are requesting :

    "This string should CONTAIN any character, any number of times, followed
    by an '@', followed by any character, any times, followed by a dot '.', followed
    by any character, any number of times."

    Those strings are valid:

    "hi there ! how are you ? @ nice. Thanks!"
    "sdfsdklfjsdkfjsdf-%*ç%"*ç"*D\n\t\o\'@???^^^.asdsdd"
    "......................@...................."
    and so on.


    When constructing a RE , first thing I'd advise you is to write down the rule.

    "This string should contain 4 parts:

    - the username: any word character, no spaces, no tabs, only alphanumerics, - and dots . in the middle of them
    antonio
    antonio-fontes
    antonio.fontes
    antonio2000fontes
    ...

    - the @ :
    a single an only @
    - the domain name: one or more alpha words (a-z) with tiret : '-' , each word separated by a dot :
    domain.
    domain.example.
    server.domain
    server.domain.example.

    - the top level domain name:
    2, 3 or four letters:
    ch
    de
    com
    gov
    name
    info"

    This is your rule. Now let's format the four parts. I will make them very simple,
    it will be up to you to make them allow larger entries:

    Part 1 : username, one or more words, each separated by a dot or a minus.

    \w+([-\.]\w+)*

    Part 2 : the @

    @

    Part 3 : the domain name(s):

    \w+([-\.]\w+)*

    Part 4 : the top level domain name:

    \.\w{2,4}

    Which leads us to :

    \w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}

    And extremely IMPORTANT : we need to LOCK what is entered before
    this, and after this with the ^ (beginning) and $ (end of) signs:

    ^\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}$


    Hope this will help you building your own regular expression!!

    antonio
    Cactus Corp., Aug 10, 2005
    #7
  8. Joe Kaplan \(MVP - ADSI\)

    JR Guest

    this is totaly very helpfull for me Antonio.
    Thanks a lot man !


    "Cactus Corp." <> wrote in message
    news:Ot#...
    >
    > > <asp:RegularExpressionValidator id="valEmail" runat="server"
    > > ControlToValidate="txtEmail"
    > > ValidationExpression=".*@.*\..*"
    > > ErrorMessage="Error !"
    > > display="dynamic"/>
    > >

    >
    > You are requesting :
    >
    > "This string should CONTAIN any character, any number of times, followed
    > by an '@', followed by any character, any times, followed by a dot '.',

    followed
    > by any character, any number of times."
    >
    > Those strings are valid:
    >
    > "hi there ! how are you ? @ nice. Thanks!"
    > "sdfsdklfjsdkfjsdf-%*ç%"*ç"*D\n\t\o\'@???^^^.asdsdd"
    > "......................@...................."
    > and so on.
    >
    >
    > When constructing a RE , first thing I'd advise you is to write down the

    rule.
    >
    > "This string should contain 4 parts:
    >
    > - the username: any word character, no spaces, no tabs, only

    alphanumerics, - and dots . in the middle of them
    > antonio
    > antonio-fontes
    > antonio.fontes
    > antonio2000fontes
    > ...
    >
    > - the @ :
    > a single an only @
    > - the domain name: one or more alpha words (a-z) with tiret : '-' ,

    each word separated by a dot :
    > domain.
    > domain.example.
    > server.domain
    > server.domain.example.
    >
    > - the top level domain name:
    > 2, 3 or four letters:
    > ch
    > de
    > com
    > gov
    > name
    > info"
    >
    > This is your rule. Now let's format the four parts. I will make them very

    simple,
    > it will be up to you to make them allow larger entries:
    >
    > Part 1 : username, one or more words, each separated by a dot or a minus.
    >
    > \w+([-\.]\w+)*
    >
    > Part 2 : the @
    >
    > @
    >
    > Part 3 : the domain name(s):
    >
    > \w+([-\.]\w+)*
    >
    > Part 4 : the top level domain name:
    >
    > \.\w{2,4}
    >
    > Which leads us to :
    >
    > \w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}
    >
    > And extremely IMPORTANT : we need to LOCK what is entered before
    > this, and after this with the ^ (beginning) and $ (end of) signs:
    >
    > ^\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}$
    >
    >
    > Hope this will help you building your own regular expression!!
    >
    > antonio
    >
    >
    >
    >
    >
    JR, Aug 11, 2005
    #8
  9. I noticed that email address are now starting to contain an apostrophe.
    Should your RegEx for part one be:

    \w+([-\.']\w+)* instead of \w+([-\.]\w+)*





    *** Sent via Developersdex http://www.developersdex.com ***
    Edward Tisdale, Feb 15, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    396
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,614
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. MattB

    SQL injection

    MattB, Mar 30, 2005, in forum: ASP .Net
    Replies:
    10
    Views:
    688
    Peter Blum
    Mar 31, 2005
  4. Ranginald
    Replies:
    10
    Views:
    857
    Ranginald
    Apr 27, 2006
  5. =?Utf-8?B?c3M=?=

    sample validation code for sql injection attact

    =?Utf-8?B?c3M=?=, May 5, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    623
    =?UTF-8?B?R8O2cmFuIEFuZGVyc3Nvbg==?=
    May 9, 2006
Loading...

Share This Page