WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Forms filtered with SQL constraints

From: "Ian" <webappsec2 () fishnet co uk>
Date: Wed, 06 Oct 2004 09:52:03 +0100
On 5 Oct 2004 at 13:25, Bénoni MARTIN wrote:


Hi list !

I was wondering how to solve the 2 following problems: I have ASP (not
ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks
and other tricks, I have set up some Jscript filtering on each field (i.e.
for instance a name can just be alphabet's characters and no figures :) ),
and I am planning to do the same on my Database (setting up constraints).


But I have 2 questions:       - How can I hide my Jscript filtering from the
user ? When I want to see the source, everything is diaplayed, quite
normal :( ... Maybe it's not so good to tell people what I have done to
filter them :) I saw some sites where it is impossible to see the source,
impossible to "hoover the site", impossible even to print ... But I have
not been able to find on the net how to do this :(

      - How can I deal with possible SQL errors within an ASP page ? I mean, if
a field has been filled in, bypass my Jscript filtering (no matter how),
and gets to the database but is then "stopped" by an SQL onstraint, how do
I raise this error on an ASP page without diplaying an explicit error
(giving the user the name of my database for instance) ?

Cheers for any clue, I am lost on this topic :(


Hi,

Using classic ASP with vbscript you would add this to the top of the page:

<% on error resume next %>

Then after every SQL query:

<%
if err then
        Response.write "There was a database error"
        ' Log to error to file
end if
%>

I think the equivalent in JScript is the Try, Catch, Finally:

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/script56/html/js56jslrfjscripterrorstoc.asp

Hope this helps

Ian
--
Previous By Date Next
Previous By Thread Next

Current thread: