Code Bank
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
 
User Name:
Password:
Remember me
Go Back   ASP Free ForumsProgrammingCode Bank
Reload this Page

Sanitizing for MSAccess & ASP classic

Discuss Sanitizing for MSAccess & ASP classic in the Code Bank forum on ASP Free.
Sanitizing for MSAccess & ASP classic Code Bank forum containing sample code and scripts to help solve common problems. Take a look and use the code to assist in your projects.

Record onscreen activity, your voice & webcam video. Turn everyday presentations into HD-quality videos.

For perfectly clear screencasts every time.
At the IBM® developerWorks Developer Knowledge Center you'll find resources for FREE ekits, Tutorials, Webcasts, Trial Downloads and more.


We cover the world of technology like no one else, constantly updating you with the best information available on open source software, Microsoft technologies, hardware and news from around the world.

Try Camtasia Studio today!
Visit the IBM® Developer Knowledge Center today!
Sign up today!

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread ASP Free Forums Sponsor:
  #1  
Old October 20th, 2009, 08:57 AM
Bron Bron is offline
Contributing User
ASP Free Newbie (0 - 499 posts)
  
Join Date: Mar 2005
Location: Moscow, Russian Federation
Posts: 123 Bron User rank is Sergeant Major (2000 - 5000 Reputation Level)Bron User rank is Sergeant Major (2000 - 5000 Reputation Level)Bron User rank is Sergeant Major (2000 - 5000 Reputation Level)Bron User rank is Sergeant Major (2000 - 5000 Reputation Level)Bron User rank is Sergeant Major (2000 - 5000 Reputation Level)Bron User rank is Sergeant Major (2000 - 5000 Reputation Level) 
Time spent in forums: 1 Day 8 h 20 m 26 sec
Reputation Power: 42
Sanitizing for MSAccess & ASP classic
Aggregating all thoughts and discussions I wrote a code template for my own use and decided that it might be helpful for other beginners like me who uses MSAccess and have ho idea about SQLServer and stored procedures.

I would be glad if profi could correct or upgrade this code.

Important, I learn coding pretty much via code editing. And I do this pretty much here, on ASPFree forum. So you may see some portions of code very familiar for you. I would like to thank everyone who helped me and shared their codes which became a pat of below.

Code:
 

' 1)
' Sanitize QueryString
' First try to avoid textual QueryString. However if it's to be text - use sanitizing methodes same as for textual forms (see below).
' for Numeric QueryString validate as follow:

<%
'CODE TO VALIDATE QueryString (PART1) STARTS HERE
RequestQueryString = Request.QueryString
If IsNumeric(RequestQueryString) Then
'CODE TO VALIDATE QueryString (PART1) ENDS HERE
%>


' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!


<%
'CODE TO VALIDATE QueryString (PART2) STARTS HERE
else
Response.Write("<br><br><center><h2><font color=red>Error! You made a mistake.</font></h2></center><br><br>")
end if
'CODE TO VALIDATE QueryString (PART2) ENDS HERE
%>

'NOTE: IsNumeric also protects against empty QueryString.
'NOTE 2: However you still need to code the proper response for the case when QueryString value do not match any records in database
<%
Response.Write("<br><br><center><h2><font color=red><a href=index.asp>Error! You made a mistake.</a></font></h2></center><br><br>")
%>






------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
' 2)
' Sanitize Numeric Form
' and do not forget to trim it.


<%
'CODE TO VALIDATE Numeric Form (PART1) STARTS HERE
FromFormSomething = Trim(request.form("Something"))
If IsNumeric(FromFormSomething) Then
'CODE TO VALIDATE Numeric Form (PART1) ENDS HERE
%>


' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!


<%
'CODE TO VALIDATE Numeric Form (PART2) STARTS HERE
else
Response.Write("<br><br><center><h2><font color=red>Error! You made a mistake.</font></h2></center><br><br>")
end if
'CODE TO VALIDATE Numeric Form (PART2) ENDS HERE
%>

'NOTE: IsNumeric also protects against empty form.
'NOTE 2: However you still need to code the proper response for the case when Form value do not match any records in database
<%
Response.Write("<br><br><center><h2><font color=red><a href=index.asp>Error! You made a mistake.</a></font></h2></center><br><br>")
%>




' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
' 3)
' Sanitize textual form 
' and do not forget to trim it.
' First escape from apostrophe and quotes and also carriage returns and brakes
' Second apply regular expression to filter and block dangerous items
' NOTE: edit regexp properly to exclude too strict patterns.


<%
'CODE TO CALL SANITIZING ESCAPE FUNCTIONS STARTS HERE

Function crlfToBr(strValue)
If Not IsNull(strValue) Then
strValue = Replace(strValue, Chr(13) & Chr(10), "<br>")
End If
crlfToBr = strValue
End Function

Function quotreplace(strValue)
If Not IsNull(strValue) Then
strValue = Replace(strValue, """, """)
End If
quotreplace = strValue
End Function

Function apostrophereplace(strValue)
If Not IsNull(strValue) Then
strValue = Replace(strValue, "'", "''")
End If
apostrophereplace = strValue
End Function

'CODE TO CALL SANITIZING ESCAPE FUNCTIONS ENDS HERE
%>



<%
'CODE TO ESCAPE FROM APOSTROPHE ETC AND TO CALL VARIABLE STARTS HERE

FromFormSomething=apostrophereplace(quotreplace(cr  lfToBr(Trim(request.form("Something")))))

'CODE TO ESCAPE FROM APOSTROPHE ETC AND TO CALL VARIABLE ENDS HERE
%>


'NOTE: you still need to do not forget to check if your form is empty or not.
<% 
' CODE TO CHECK IF FORM IS NOT EMPTY (PART 1) STARTS HERE
if FromFormSomething="" then
Response.Write("<br><br><center><h2><font color=red><a href=index.asp>Error! You made a mistake.</a></font></h2></center><br><br>")
else
' CODE TO CHECK IF FORM IS NOT EMPTY (PART 1) ENDS HERE
%>

<%
'CODE TO CALL SANITIZING FUNCTION ze STARTS HERE - most strict function but still requires to be used in conjunction with apostrophe and quotes escaping functions. 
' COMBINATION OF SYMBOLS <something>          <.*> 
' CURLY BRACES COMBINATION {something}        \{.*\} 
' DOUBLE DASH --                              -{2,}?
' WORDS AND PHRASES                           delete|drop table|NULL
' ASTERISK                                    \*
' BACKSLASH                                   \\
' OPENING SQUARE BRACKET                      \[
' http://netzreport.googlepages.com/online_converter_for_dec_octal.html could be usefull in some specific cases to convert decimal ASCII into octal number: chr34 = 42 to create even more strict regexp.
' http://www.regular-expressions.info/reference.html

Dim ze
  Set ze = new RegExp
	ze.IgnoreCase = true
	ze.pattern = "<.*>|\{.*\}|-{2,}?|delete|drop table|NULL\\*|\\|\["
	ze.global = TRUE
'CODE TO CALL SANITIZING FUNCTION ze ENDS HERE

'CODE TO VALIDATE TEXT FORMS (PART 1) STARTS HERE: 
'if ze.Test(FromFormSomething) = False and ze.Test(FromAnotherFormSomething) = False and ze.Test(FromOneMoreFormSomething) = False Then
'CODE TO VALIDATE TEXT FORMS (PART 1) ENDS HERE: 


' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!
' !!!!!!some code!!!!!!!


'CODE TO VALIDATE TEXT FORMS (PART 2) STARTS HERE: 
<%
else
Response.Write("<br><br><center><h2><font color=red><a href=index.asp>Error! You made a mistake.</a></font></h2></center><br><br>")
end if
%>
'CODE TO VALIDATE TEXT FORMS (PART 2) ENDS HERE: 


<% 
' CODE TO CHECK IF FORM IS NOT EMPTY (PART 2) STARTS HERE
end if
' CODE TO CHECK IF FORM IS NOT EMPTY (PART 2) ENDS HERE
%>

'NOTE 2: You still need to code the proper response for the case when Form value do not match any records in database
<%
Response.Write("<br><br><center><h2><font color=red><a href=index.asp>Error! You made a mistake.</a></font></h2></center><br><br>")
%>



' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
' 4) Sanitize textual QueryString
' use the same code as above for textual forms, but replace request.form("Something") for Request.QueryString



' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
' 5) Sanitize radio-buttons and tick-boxes
' I normally sanitize them as above depending on what type of value it returns - numeric or textual. 
' If assortment of values is very limited and strict like "yes" or "no" you can edit regexp to make it specifically strict to only approve "yes" and "no"



' ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
' 6) True/False
' I never use true/false fields in database (prefer 1 and 0 instead) so I did not think about that matter at all.
' Any thoughts are welcome
Last edited by Bron : October 21st, 2009 at 05:53 AM.
Reply With Quote
Reply

Viewing: ASP Free ForumsProgrammingCode Bank > Sanitizing for MSAccess & ASP classic

« Previous Thread | Next Thread »

Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump





 Free IT White Papers!
 
How to Present Effectively Online
This white paper offers practical and actionable advice on the key steps that any presenter should consider as they plan and execute a Webinar or online meeting.
 
Open Source Security Myths
Open Source Software (OSS) is computer software whose source code is available to the general public with relaxed or non-existent intellectual property restrictions (or arrangement such as the public domain), and is usually developed with the input of many contributors.
 
Power and Cooling Capacity Management for Data Centers
This paper describes the principles for achieving power and cooling capacity management.
 
Scalable, Fault-Tolerant NAS for Oracle - The Next Generation
For several years NAS has been evolving as a storage alternative for Oracle databases, and for good reason: NAS is quite often the simplest, most cost-effective storage approach for Oracle. Learn about the benefits that HP's approach to scalable NAS brings to Oracle environments in this comprehensive white paper.
 
Understanding Web Application Security Challenges
This white paper discusses many common threats and preventive measures for Web application security, and explains what you can do to help protect your organization.
 

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 





© 2003-2009 by Developer Shed. All rights reserved. DS Cluster 3 Hosted by Hostway
For more Enterprise Application Development news, visit eWeek