***Update***
When I first wrote this page, I put up an extremely limited javascript function to parse out text -- my goal was just to give readers an idea of how to go about this. After being chastised by more than one visitor, I have updated the javascript code for parsing text. Its still fairly limited, but it will give you a better idea of how to go about parsing out bad values -- and as a bonus the code is written to be a lot more efficient.
***End of Update***
One of the easiest ways for a malicious
hacker to gain access to your site (and the server its being stored
on) is to take advantage of poorly written web Forms that access
databases. For example, let's say that you have a form that takes
the value from an INPUT tag and creates an SQL string directly from
that value to submit to the database. A form like this, if not
coded properly, can be used to compromise your entire system.
The problem stems from the way that SQL parses text values. Lets
say that, on your web form, you want a user to enter a value for a
password, through which you perform a search on the database to see
if the password is valid. It is possible for a user to enter a
value that will fool the database into thinking that the password
is valid. Let's say that this value was entered into the INPUT
field:
When the SQL statement is created with this value, it might look
something like this:
Essentially, the value this user has entered ensures that a
positive value will be returned. The "--" comments out the final
quote tag that the code tries to add on, preventing an error
message from being returned by the database.
To prevent this from happening to your Forms, at some point in the
transaction you need to parse the value that the user has
submitted. To give you an idea of how to do this, here is an
example of a parse function using javascript on the client side.
Because this example is on the client side, it is NOT secure. To
fully secure your web page, you need to parse the value on a middle
tier component!
The javascript parse function would look like this (modify the strBad variable to hold any values that you
don't want to be accepted):
You can test it out here (submitting an invalid character will
bring up an ALERT):
To read a discussion of securing your web pages with ASP, check out
this thread in our
message boards!
Comment on this article or ask us a
question: click here ! |