Another Sql Injection

[Joe Kaplan \(MVP - ADSI\)]

What on earth does your regular expression for an email address look like
that it matched that string?!

Note that this still should not be a problem to store this value in the
database as long as it is never concatenated in a SQL string and is only
used with a parameterized query, but it certainly won't be very useful for
contacting anyone either.

Joe K.

 

[JR]

Hi guyz,

I have a form which is to record the user id, password and email.
I filter the email using requiredfield validator and regularexpression
validator.
Everything works great till I found somebody can put this data in the
database, like this :

having 1=1--

for the email field.
Can anybody tell me how is the way can I put it there, because whever I
tried it, I could not find it.

Thanks

JR

 

[Cactus Corp.]

I am asking myself how using a 'HAVING' clause could make
your request work. Are you using GROUP BY requests when
someone tries to register ?

Second question, what is your regular expression ? Did you
add the beginning and end of string signs ?

^.....$

antonio

 

[Cactus Corp.]

Actually I dont really care about the "having .." words can make something

wrong there.
But the point is, I just wonder how can they still put that words in my
database.

Okay, I just missunderstood it ; ) HAVING was really entered into the
user table

Well... same question : show us your regular expression. Either it's wrong,
either you missed some logic into your validation process. The first one's
faster to examine.


antonio

 

[JR]

Antonio,

Actually I dont really care about the "having .." words can make something
wrong there.
But the point is, I just wonder how can they still put that words in my
database.
I dont use group by. I'm using sql add.parameter.

I tried it myself too, but it seems everything OK.
But that user can do it, so It must be someway we can put that having 1=1--
in the datase.
Or something wrong with the regularexpression validator or my code.

any idea >

 

[JR]

Here are my code:
<asp:textbox id="txtEmail" runat="server" Width="200" MaxLength="30"/>
<asp:RequiredFieldValidator id="valRequired2" runat="server"
ControlToValidate="txtEmail"
ErrorMessage="Required field"
Display="dynamic" />

<asp:RegularExpressionValidator id="valEmail" runat="server"
ControlToValidate="txtEmail"
ValidationExpression=".*@.*\..*"
ErrorMessage="Error !"
display="dynamic"/>

thanks bud

 

[Cactus Corp.]

<asp:RegularExpressionValidator id="valEmail" runat="server"
ControlToValidate="txtEmail"
ValidationExpression=".*@.*\..*"
ErrorMessage="Error !"
display="dynamic"/>

You are requesting :

"This string should CONTAIN any character, any number of times, followed
by an '@', followed by any character, any times, followed by a dot '.', followed
by any character, any number of times."

Those strings are valid:

"hi there ! how are you ? @ nice. Thanks!"
"sdfsdklfjsdkfjsdf-%*ç%"*ç"*D\n\t\o\'@???^^^.asdsdd"
"......................@...................."
and so on.


When constructing a RE , first thing I'd advise you is to write down the rule.

"This string should contain 4 parts:

- the username: any word character, no spaces, no tabs, only alphanumerics, - and dots . in the middle of them
antonio
antonio-fontes
antonio.fontes
antonio2000fontes
...

- the @ :
a single an only @
- the domain name: one or more alpha words (a-z) with tiret : '-' , each word separated by a dot :
domain.
domain.example.
server.domain
server.domain.example.

- the top level domain name:
2, 3 or four letters:
ch
de
com
gov
name
info"

This is your rule. Now let's format the four parts. I will make them very simple,
it will be up to you to make them allow larger entries:

Part 1 : username, one or more words, each separated by a dot or a minus.

\w+([-\.]\w+)*

Part 2 : the @

@

Part 3 : the domain name(s):

\w+([-\.]\w+)*

Part 4 : the top level domain name:

\.\w{2,4}

Which leads us to :

\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}

And extremely IMPORTANT : we need to LOCK what is entered before
this, and after this with the ^ (beginning) and $ (end of) signs:

^\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}$


Hope this will help you building your own regular expression!!

antonio

 

[JR]

this is totaly very helpfull for me Antonio.
Thanks a lot man !

You are requesting :

"This string should CONTAIN any character, any number of times, followed
by an '@', followed by any character, any times, followed by a dot '.', followed
by any character, any number of times."

Those strings are valid:

"hi there ! how are you ? @ nice. Thanks!"
"sdfsdklfjsdkfjsdf-%*ç%"*ç"*D\n\t\o\'@???^^^.asdsdd"
"......................@...................."
and so on.


When constructing a RE , first thing I'd advise you is to write down the rule.

"This string should contain 4 parts:

- the username: any word character, no spaces, no tabs, only

alphanumerics, - and dots . in the middle of them

antonio
antonio-fontes
antonio.fontes
antonio2000fontes
...

- the @ :
a single an only @
- the domain name: one or more alpha words (a-z) with tiret : '-' , each word separated by a dot :
domain.
domain.example.
server.domain
server.domain.example.

- the top level domain name:
2, 3 or four letters:
ch
de
com
gov
name
info"

This is your rule. Now let's format the four parts. I will make them very simple,
it will be up to you to make them allow larger entries:

Part 1 : username, one or more words, each separated by a dot or a minus.

\w+([-\.]\w+)*

Part 2 : the @

@

Part 3 : the domain name(s):

\w+([-\.]\w+)*

Part 4 : the top level domain name:

\.\w{2,4}

Which leads us to :

\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}

And extremely IMPORTANT : we need to LOCK what is entered before
this, and after this with the ^ (beginning) and $ (end of) signs:

^\w+([-\.]\w+)*@\w+([-\.]\w+)*\.\w{2,4}$


Hope this will help you building your own regular expression!!

antonio

 

[Edward Tisdale]

I noticed that email address are now starting to contain an apostrophe.
Should your RegEx for part one be:

\w+([-\.']\w+)* instead of \w+([-\.]\w+)*