Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can I detect what URL the user has entered in the address bar?

Status
Not open for further replies.

PSchubert

Technical User
Jun 6, 2006
50
AU
Hi all,

I'm using classic asp, and I want to screen against url manipulation. I'd like to capture what the user has entered in the address/location bar before it is executed on the server, and if it doesn't match a whitelist, redirect. If there's a way to do it, I know I'll find out here, because you people rock!

Thanks.
 
Thanks for your response, johnwm. I'd come across that page previously in my searches, but I didn't succeed applying it to my need. For example: let's say I have a database at I'd want to prevent a user accessing that file from typing that URL into their browser's address bar, so between them pressing enter and the server processing the request, I'd want to intervene with the screening. Or, let's say there is a hacker who discovers a way to gain unauthorized access by typing certain unpredictable malicious strings into the address bar and pressing enter. I would want to intercept and screen out that attempt. The problem on which I am stumped is how do I use a script in my document to identify the string in the client's browser's address bar when the client's browser has the focus, and the document doesn't? Now that I've phrased it that way for the first time, it sounds like it's not possible! But I've learned enough to believe that anything is possible.
 
I fear you are trying to solve the wrong problem.
1. You should not have your database in any directory that is publicly accessible.
2. Nothing you can do will prevent hackers from typing certain unpredictable malicious strings into the address bar and pressing enter.
3. Any queries to a database should be done using parameter queries and all user input should be sanitised.

If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller
 
You're right, of course, and I have done 1 and 3. This post is an attempt to augment those precautions, especially as pertaining to 2. May be I am trying to do something that isn't possible...I guess there's a first time for everything.
 
PSchubert said:
May be I am trying to do something that isn't possible
No, it's very possible to do that, and johnwm showed you exactly how (and according to your post, you are already doing it as well).

PSchubert said:
I'd like to capture what the user has entered in the address/location bar before it is executed on the server
It is your code that executes anything on the server, so before your code executes anything, you should examine the query strings and user input, and sanatize it... only if the values are what you expect in the given context do you continue to execute your other code.

Is there a particular weakness in your code that you spotted?
 
Thanks for responding, guitrzan. Ultimately what I'm trying to do is protect my asp code from being viewed. I'm aware of the old ::$DATA bug, whereby a user could view the code simply by appending "::$DATA" to the URL. While this is now a non-issue, what if in the future a different method is discovered that similarly uses URL manipulation? This is what I'm trying to be proactive about preventing. Any thoughts?
 
I am not familiar with the bug you are referring to. Do you have a link explaining it?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top