#1
  1. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0

    ASP function for SQL Injection Protection


    Can anyone help me with an ASP function to perfom the following

    Series of page like this
    item.asp?ItemId=2345
    news.asp?NewsId=23456
    Sale.asp?SaleId=344444

    I need a function i can include in lots of pages that basically says

    if query string is "ItemId" then only allow numerics of a maximum of 4

    if query string is "NewsId" then only allow numerics of a maximum of 5

    if query string is "SaleId" then only allow numerics of a maximum of 6

    In all of the above query strings of 1,2,3 etc numerals must also work.

    Any help appreciated as I'm in deep "poop" battling Chinese hackers

    Thanks
  2. #2
  3. Moderator From Beyond
    ASP Mastermind (5000+ posts)

    Join Date
    Sep 2004
    Location
    Israel
    Posts
    31,135
    Rep Power
    2925
    here is quick function that get string and number of maximum digits as input
    and returns whether the string is valid number or not:
    Code:
    Function ValidateNumeric(s, numOfDigits)
    	ValidateNumeric = False
    	
    	If IsNull(s) Then Exit Function
    	
    	If Len(s)=0 Then Exit Function
    	
    	If Not(IsNumeric(s)) Then Exit Function
    	
    	If Len(s)>numOfDigits Then Exit Function
    	
    	If CStr(CLng(s))<>s Then Exit Function
    	
    	ValidateNumeric = True
    End Function
    use it wisely!
  4. #3
  5. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0
    Shadow Wizard, can you tell me how i can adapt this to my scenario above please? dumbed down as possible please
  6. #4
  7. Moderator From Beyond
    ASP Mastermind (5000+ posts)

    Join Date
    Sep 2004
    Location
    Israel
    Posts
    31,135
    Rep Power
    2925
    something like this:
    Code:
    If ValidateNumeric(Request.QueryString("NewsId"), 5)=False Then
       Response.Write("hacker, go away!")
       Response.END()
    End If
  8. #5
  9. KIS
    ASP Hero (2000 - 2499 posts)

    Join Date
    Jul 2007
    Location
    USA
    Posts
    2,099
    Rep Power
    1441
    just another example...not to take away from shadow....

    change/ add conditions as needed

    Code:
    <%
      Function isValidQueryString()
       aPathInfo = Split(request.servervariables("PATH_INFO"),"/")
       sPageName = aPathInfo(UBound(aPathInfo))
    
       Select Case sPageName
        Case "item.asp"
         iItemID = Request.QueryString("ItemID")
         iItemIDLen = Len(iItemID)
    
         If isNumeric(iItemID) Then
          If iItemIDLen >= 1 AND iItemIDLen <= 4 Then
           isValidQueryString = true
          End If
         End If
        Case "news.asp"
         iNewsID = Request.QueryString("NewsID")
         iNewsIDLen = Len(iNewsID)
         If isNumeric(iNewsID) Then     
          If iNewsIDLen >= 1 AND iNewsIDLen <= 5 Then
           isValidQueryString = true
          End If
         End If
        Case "sale.asp"
         iSaleID = Request.QueryString("SaleID")
         iSaleIDLen = Len(iSaleID)
         If isNumeric(iSaleID) Then
          If iSaleIDLen >= 1 AND iSaleIDLen <= 6 Then
           isValidQueryString = true
          End If
         End If
       End Select
      End Function
    
      
      If isValidQueryString Then
       ' do this
      Else
       ' do this
       ' redirect
       ' message...etc
      End If
    %>

    Comments on this post

    • Shadow Wizard agrees : much deserved reputation! :)
  10. #6
  11. Moderator From Beyond
    ASP Mastermind (5000+ posts)

    Join Date
    Sep 2004
    Location
    Israel
    Posts
    31,135
    Rep Power
    2925
    nice. this work in the page level, so you can have this in one
    file then include this file in all pages. pick your choice!
  12. #7
  13. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Nov 2007
    Posts
    3
    Rep Power
    0
    Thats great guys, thanks very much

Similar Threads

  1. Object for printing problems with WebForms
    By tudela in forum Code Bank
    Replies: 2
    Last Post: July 28th, 2005, 10:20 AM
  2. Classic ASP and vbscript ArrayList Version 1.0
    By Shadow Wizard in forum Code Bank
    Replies: 3
    Last Post: July 9th, 2005, 11:49 AM
  3. Microsoft VBScript compilation error '800a03f6'
    By amaloo09 in forum ASP Development
    Replies: 8
    Last Post: March 18th, 2005, 08:05 AM
  4. Adding to a Session variable (or Array!)
    By rehanbutt in forum ASP Development
    Replies: 1
    Last Post: June 7th, 2004, 10:15 AM
  5. Replies: 0
    Last Post: February 12th, 2004, 11:19 AM

IMN logo majestic logo threadwatch logo seochat tools logo