SQL Injection and preventing querystring abuse

R

Robb Meade

Hi all,

A recent project that I had finished and went live with no apparant
problems.

My client received an email from a user who mentioned that by accident they
had been typing (over the querystring I guess), and the url had become

default.asp?pageid='asd

They then received a SQL Server error message.

My client contacted their webhost, who came back to them promptly and talked
of 'SQL Injection', they said that we would need to secure the code as well
as the permissions on the database(which I believe they have done)..

This is something I had over looked, and started to write a fix for a couple
of nights ago...but I dont think its 100%....

Basically I now do this at the top of my default.asp page...

'
****************************************************************************
**********
' Here we retrieve the page id from our querystrng.
'
****************************************************************************
**********

strCurrentPageID = Request.QueryString("pageid")

'
****************************************************************************
**********
' If we do have a page id in the querystring we check that it is numeric.
'
****************************************************************************
**********

If strCurrentPageID <> "" Then

'
****************************************************************************
**********
' If it is not then we set our flag to false.
'
****************************************************************************
**********

If isNumeric(strCurrentPageID) Then

Response.Write strCurrentPageID

'
****************************************************************************
**********
' Here we test to see if our 'int' field type has been exceeded.
'
****************************************************************************
**********

If strCurrentPageID > 0 And strCurrentPageID <= 2147483647 Then

strPageError = False

ElseIf strCurrentPageID <= 0 Or strCurrentPageID >= 2147483647 Then

strPageError = True

End If


'
****************************************************************************
**********
' If it is then we set our flag to true.
'
****************************************************************************
**********

Else

strPageError = True

End If

'
****************************************************************************
**********
' If we do not have a page id within our querystring then we set our flag
to false,
' and check our pages table to see which page has been set to the default
page.
'
****************************************************************************
**********

ElseIf strCurrentPageID = "" Then

strPageError = False

SQL = "SELECT PageID FROM tblPages WHERE PageIsDefault = '1'"
%>
<!--#Include File="_IncludeScripts/ReadOnly.asp"-->
<%
If Not RS.BOF And Not RS.EOF Then

strCurrentPageID = RS("PageID")

End If
%>
<!--#Include File="_IncludeScripts/ReadOnlyClose.asp"-->
<%
End If
%>



If the user arrives at the site with no pageid - we assume that they are
looking at the default page and set the CurrentPageID to the id of the page
flag as being the home page.

If they do arrive here with a pageid in the querystring I then start to
validate it...

First I check to see if its numeric, as the id relates to an INT field type
in the SQL database, if it isnt the validation sets a flag to 'false', if
the value is numeric then I check to ensure that its within the lower and
upper values for the INT data field type.

If all is ok - we set a flag to be 'true'.

The flag gets checked later on on another page which then displays either a
404 message if the validation flag was false, or the correct page if the
validation flag is set to true.

This has been working nicely, and alphatbetically, special characters
(include the dreadly ' ) have all been ok with this...

However!

I have one area of this code which is for FAQ's, as a result the querystring
now changes...

example;

default.asp?pageid=51&faqid=3

I'm doing my best to keep all my code dynamic, and not repeated, but because
previously I was only validating 'pageid' - I now have to duplicate the code
for 'faqid' - which I can do - but it feels, and looks messy...

I was hoping that someone else may have come up against a similar problem
and could suggest an alternative way to do this, ideally looking at all
elements in the querystring whatever they are, ie, not having to know the
names of the variables to validate them.

If anyone has any suggestions, ideas, snippets of code I would be very
grateful to hear from you here...

Thanks in advance for your time reading my essay :eek:)

Regards

Robb Meade
 
T

TomB

Wrap it up in a function

Function CheckValidNumber(numToCheck, lowerLimit, upperLimit)
'validation checks.....

'if the validations are ok then
CheckValidNumber=true
'else
CheckValidNumber=false
'end if
end Function

So for your default.asp?pageid=51&faqid=3

Dim lngPageID
Dim lngFaqID
lngPageID=Request.Querystring("pageid")
if CheckValidNumber(lngPageID0,2147483647 ) then
lngPageID=Cint(lngPageID)
else
lngPageid=1
end if

'Same for lngFaqID
 
R

Robb Meade

...
Wrap it up in a function

aye, thats a good idea, but I still need to be able to break down the
querystring per data item, for example;

pageid=15
faqid=10
anothervalue=blahblahblah

The application is still in its infancy, so the last one above here doesnt
apply really, all the querystring items at this time are always numeric, but
I still need to be able to pick up the 'value' of each querystring item
without knowing its name...

This possible?

Cheers for the reply

Robb
 
R

Robb Meade

...
Wrap it up in a function

Just thought of another problem too...

If the function was called the first time and returned as an error, and then
goes off again for the faqid, but that returned ok - the flag would be
overwritten and change to be 'fine' - therefore creating an error on the
page :eek:/

As soon as the flag is found to be 'faulty' it needs to stop and run off and
say 'wow tiger - somethings gone wrong' etc...

Robb
 
A

Aaron Bertrand - MVP

If the function was called the first time and returned as an error,

Call response.end
 
T

TomB

if CheckIfValidNumber(lngFaqID) = true then
'do whatever
else
Response.Write "wow tiger - somethings wrong"
Response.End
end if

if CheckIfValidNumber(lngPageID) etc.etc.etc.
 
T

TomB

You don't know the names of your querystring items? If you know they will
all be numeric than you can do something like.....

Dim queryField
Dim bAllGood
bAllGood=true

for each queryField in Request.QueryString
if CheckValidNumber(Request.QueryString(queryField)) = false then
bAllGood=false
exit for
end if
next
if bAllGood=true then
'blah blah
else
Response.Write "Error, at least one querystring item is non-numeric"
Response.end
end if
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

sql injection 11
SQL Injection 15
Preventing Request.Form abuse 12
SQL Injection 4
SQL Injection - Stored Procedures 25
ASP and SQL Injection prevention 1
Preventing tread collisions 12
spring hibernate injection 7

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top