Good way to sanitize input in classic asp
https://stackoverflow.com/questions/444181
-
22-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.
- Are there any functions I should use?
- Can you provide me with a good function for some basic protection?
- Is there something like a parameterized query in asp?
Thanks!
Solution
Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).
Here is a link.
As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.
Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.
OTHER TIPS
Always use Server.HTMLEncode to sanitize user input.
For example, if you're setting a variable from a form text box:
firstName = Server.HTMLEncode(trim(request.form("firstname")))
Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.
There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.
One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:
<%
for each x in Request.Form ' Do this for Request.Querystring also
If InStr(x,"<") <> 0 Then
' encode the value or redirect to error page?
End If
next
%>
Just make a function which will be called every time you want to output a string. It will encode html and output it as a text. E.g. escape html.
FUNCTION esc(a)
esc= Server.HTMLEncode(a)
END FUNCTION
Response.Write esc("&*)!(@)#(!@)#SSDx><''")
output: &*)!(@)#(!@)#SSDx><''
