Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

malicious input

Status
Not open for further replies.

Cullen411

Programmer
Aug 17, 2005
89
GB
I created a form that lets visitors input text. Unfortunately it is being abused.
So I used myvar=server.htmlencode("Request.form("textarea"))
and then inserted it into the database.
However I thought this would have stopped malicious input though someone was able to insert html tags including the marquee tag.
Can anyone let me know how I can stop this and even how they were able to get round the server.htmlencode?

thanks.
 
It is possible they are using a sql injection.
If you do not protect against that they can do prety much anything. Look it up there is loads of info.

The function i use to kill this method of attack is

Code:
function killChars(strWords)

dim badChars
dim newChars

badChars = array("select", "drop", ";", "--", "insert","delete", "xp_")
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next

killChars = replace(newChars,"'","''")

end function

%>


}...the bane of my life!
 
you could try the htmlencode on the response.write(server.htmlencode(myvar))
Or even find a function that will strip out all html tags

Code:
Function stripHTML(strHTML)
'Strips the HTML tags from strHTML
'replace <br> with newline
strHTML = replace(strHTML,"<br>",vbnewline)
strHTML = replace(strHTML,"<br />",vbnewline)
strHTML = replace(strHTML,"<BR>",vbnewline)
strHTML = replace(strHTML,"<BR />",vbnewline)
  Dim objRegExp, strOutput
  Set objRegExp = New Regexp

  objRegExp.IgnoreCase = True
  objRegExp.Global = True
  objRegExp.Pattern = "<(.|\n)+?>"

  'Replace all HTML tag matches with the empty string
  strOutput = objRegExp.Replace(strHTML, "")
  
  'Replace all < and > with &lt; and &gt;
  strOutput = Replace(strOutput, "<", "&lt;")
  strOutput = Replace(strOutput, ">", "&gt;")
  
  stripHTML = strOutput    'Return the value of strOutput

  Set objRegExp = Nothing
End Function

}...the bane of my life!
 
One condition that messed up one of my queries is when the user put in 1=1. I now check for that.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top