Clever Geek Handbook

How to prevent injections in ASP / VBScript?

What are the best ways (or at least the most common ways) in ASP (VBScript) to handle input? My main concerns are HTML / JavaScript injection and SQL injection. Is there some PHP equivalent htmlspecialchars

or addslashes

, and so on? Or do I have to do it manually using string replacement functions?

+1


source to share


2 answers


The bottom line says the following:

  • Always embed the user's HTML before writing it to your page. Server.HTMLEncode()

    does it for you.
  • Always use parameterized queries to interact with the database. Objects ÀDODB.Command

    and ADODB.CommandParameter

    are the right choice.
  • Always use the URLScan utility and IIS blocker on the IIS server that is displaying the page, unless they are version 6 or higher, which no longer require these tools.


If you stick with rank 1 and 2, I can't think of much of what could go wrong.

Most of the vulnerabilities occur due to incorrect encoding of user input or the creation of SQL strings from it. If, for some reason, you've reached the point where HTML encoding user input gets in your way, you've encountered a design flaw in your application.

+5


source


I will add one more point to the Tomalaks.

Avoid using concatenation of field values ​​in SQL code. That is, in some cases, the stored procedure can create some SQL in a row for later execution. It is okay if the text value of the field is not used as part of its construction.

A command parameter can protect SQL code intended to enter a value from captured SQL into execution, but it allows such unwanted SQL to become data in the database. This is level one belligerence. Second, there is a possibility that the second level value will be used in some SQL string concatenation within the stored procedure.



Another consideration is that this is just minimal protection. All this makes attack attempts harmless. However, in many cases it may be better to add a system to this that prevents such data entry and / or changes admins to potential injection.

Input validation is important here. I don't know of any tools that do this for you, but a few simple regular expressions might help. For example, "<\ w +" will detect an attempt to include an HTML tag in a field.

+2


source






More articles:


All Articles