R
Robb Meade
Hi all,
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
****************************************************************************
**********
' Here we retrieve the page id from our querystrng.
'
****************************************************************************
**********
strCurrentPageID = Request.QueryString("pageid")
'
****************************************************************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
****************************************************************************
**********
If strCurrentPageID <> "" Then
'
****************************************************************************
**********
' If it is not then we set our flag to false.
'
****************************************************************************
**********
If isNumeric(strCurrentPageID) Then
Response.Write strCurrentPageID
'
****************************************************************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
****************************************************************************
**********
If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then
strPageError = True
End If
'
****************************************************************************
**********
' If it is then we set our flag to true.
'
****************************************************************************
**********
Else
strPageError = True
End If
'
****************************************************************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
****************************************************************************
**********
ElseIf strCurrentPageID = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageID = RS("PageID")
End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to
validate it...
First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.
This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the querystring
now changes...
example;
default.asp?pageid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay )
Regards
Robb Meade
A recent project that I had finished and went live with no apparant
problems.
My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page...
'
****************************************************************************
**********
' Here we retrieve the page id from our querystrng.
'
****************************************************************************
**********
strCurrentPageID = Request.QueryString("pageid")
'
****************************************************************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
****************************************************************************
**********
If strCurrentPageID <> "" Then
'
****************************************************************************
**********
' If it is not then we set our flag to false.
'
****************************************************************************
**********
If isNumeric(strCurrentPageID) Then
Response.Write strCurrentPageID
'
****************************************************************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
****************************************************************************
**********
If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then
strPageError = False
ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then
strPageError = True
End If
'
****************************************************************************
**********
' If it is then we set our flag to true.
'
****************************************************************************
**********
Else
strPageError = True
End If
'
****************************************************************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
****************************************************************************
**********
ElseIf strCurrentPageID = "" Then
strPageError = False
SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then
strCurrentPageID = RS("PageID")
End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>
If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.
If they do arrive here with a pageid in the querystring I then start to
validate it...
First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.
If all is ok - we set a flag to be 'true'.
The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.
This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...
However!
I have one area of this code which is for FAQ's, as a result the querystring
now changes...
example;
default.asp?pageid=51&faqid=3
I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...
I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.
If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...
Thanks in advance for your time reading my essay )
Regards
Robb Meade