2

This title of the question may seem to be previously asked and answered but its different scenario for me. I use this script to stop sql injection in my ASP site. As per my knowledge or injecting script i have tried everything . Is it still possible to break through this code or do you feel this is fine .

Here is the script

<%
Function IsInject(strCheck, boolForm)
    IsInject = False
    If Not boolForm And Len(strCheck) > 50 Then IsInject = True
'   Dim sCmdList, arrCmds, i
    If boolForm Then
        sCmdList = "declare,varchar,convert,delete,create,is_srvrolemember,ar(,cast("
    Else
        sCmdList = "update,union,select,drop,declare,varchar,convert,delete,create,is_srvrolemember,ar(,cast(,char("
    End If
    arrCmds = Split(sCmdList, ",")
    For i = 0 To UBound(arrCmds)
        If Instr(UCase(CStr(strCheck)), UCase(arrCmds(i))) > 0 Then
            IsInject = True
            Exit For
        End If
    Next
    Erase arrCmds
End Function
Function CleanInject(strClean, boolInt)
    If boolInt Then CleanInject = CInt(strClean) Else CleanInject = Replace(strClean, "'", "''")
End Function

'-----------------------------------------------------------
'redirect user if specific IP
'Dim ipaddress, bFBIRedirect, sInjectType
bFBIRedirect = True
ipaddress = Request.ServerVariables("REMOTE_ADDR")
Select Case ipaddress
    Case "90.120.206.10"
    Case Else
        bFBIRedirect = False
End Select
If bFBIRedirect Then Response.Redirect "http://www.fbi.gov"
'-----------------------------------------------------------

'Dim bIsInject, sHackString
bIsInject = False

If Not bInject Then
'   Dim qsItm
    For Each qsItm In Request.QueryString
        If IsInject(Request.QueryString(qsItm), False) Then
            bIsInject = True
            sHackString = qsItm & "=" & Request.QueryString(qsItm)
            sHackType = "QueryString"
            sInjectType = "qs-" & Request.QueryString(qsItm)
            Exit For
        End If
    Next
End If
If Not bInject Then
'   Dim frmItm
'   For Each frmItm In Request.Form
'       If IsInject(Request.Form(frmItm), True) Then
'           bIsInject = True
'           sHackString = Request.Form(frmItm)
'           sHackString = frmItm & "=" & Request.Form(frmItm)
'           sHackType = "Form"
'           Exit For
'       End If
'   Next
End If

If bIsInject Then
    Session("hacktype") = sHackType
    Session("hackstr") = sHackString
    Session("thepagefrom") = Request.ServerVariables("PATH_INFO")
    Session("theip") = Request.ServerVariables("REMOTE_ADDR")

'   Dim arrWhereAt, iWhereAt, sRedirect

    arrWhereAt = Split(Request.ServerVariables("PATH_INFO"), "/")
    iWhereAt = UBound(arrWhereAt)

    sRedirect = "unknownerror.asp?ip=" & Request.ServerVariables("REMOTE_ADDR") & "&err=" & sInjectType & "&pg=" & Request.ServerVariables("PATH_INFO")
    If iWhereAt = 1 Then sRedirect = "../" & sRedirect
    If iWhereAt = 2 Then sRedirect = "../../" & sRedirect
    If iWhereAt = 3 Then sRedirect = "../../../" & sRedirect

    Response.Redirect sRedirect
End If
%>
Improve this question
3
  • 5
    Just use parameters. Commented Sep 27, 2011 at 12:23
  • This wont do anything to help with xss attacks. Commented Sep 27, 2011 at 12:34
  • 1
    Hello Pareen, in this you have checked only Querystring part and I can see that request.form part is commented so this should be check while we post form. also you can check cookies data. Please let me know is this useful for you. Commented Oct 6, 2011 at 7:12

2 Answers 2

Reset to default
1

Using blacklists to remove commands is not really a good idea. You have to make sure you cover all possible commands, and still someone might sneak something past. This would also probably fail if you get data from a user that is not an attack, but still contains an attack string. Example "Back in the days of the Soviet Union".

As Nikolai suggests, see if you can find some type of prepared statements to use. Or find a really good library to properly escape data for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

rather doing that I think I would use ADO Parameter object when creating SQL queries, the second best thing is to do type conversion of the inputfields for the dynamic SQL queries, such as converting strings to SQL strings (replace any ' with two ''), making sure number is a number etc.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.