Secure injection defense functions.

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • zensunni
    New Member
    • May 2007
    • 101
    #1

    Secure injection defense functions.

    I'm looking to make a few asp functions to defend against attacks. The function will loop through an array, checking each item against the incoming statement. So, my question is, what are all the things I need to check for in my incoming statement?

    Here are my arrays:

    Code:
    SQLCheck=array("select", "drop", ";", "--", "insert", "delete", "'")

HTMLCheck=array("<", ">", "javascript")
    Are these all necessary, and are there any I've missed? Thanks for any help or pointers.
    Tags: None
    • DrBunchman
      Recognized Expert Contributor
      • Jan 2008
      • 979
      #2
      Hi zensunni,

      You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

      For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

      Hope this helps,

      Dr B

        Comment

        • jhardman
          Recognized Expert Specialist
          • Jan 2007
          • 3405
          #3
          Originally posted by DrBunchman
          Hi zensunni,

          You've obviously done some research on this already and correctly found that the most dangerous characters are the end of line (";"), comment ("--") and single quote mark("'") as these allow people to manipulate your SQL strings with greatest ease. You could add UPDATE, SHUTDOWN & EXEC (to prevent the execution of stored procedures) to your list for additional safety.

          For the HTML check you've probably covered most bases by not allowing the opening and closing tags thus preventing anyone from dropping script into your page. Anybody else got any views on this one?

          Hope this helps,

          Dr B
          That covers all the bases I can think of, but there are some alternative techniques you can try:

          1- open a recordset - most injections will cause an error if used on a recordset

          2- use only stored procedures - most injections are harmless if you don't execute SQL commands. Since stored procedures are not really SQL commands but instructions to execute a list of pre-compiled commands, it is highly unlikely that an injection could get through.

          Jared

            Comment

            Previous template Next
            Working...