dwair
10-20-2010, 12:28 AM
Hi,
I have an ASP JS website that inputs data to an MS-SQL express db and I’m trying to stop an on going sql injection attack on it. Every day I get hit my several attacks that put a random alphanumerical links into in my db.
1/ my input form is sanitized (with a js function) and protected with a basic turning test
2/ the form data is then posted to another page that checks for “http” in a field - inserts if http is false and does nothing at all if http is true
I have played for days now with the form and the url trying to emulate the attack but I can’t seem to replicate it, nor can I see how to stop it
Does any one have any ideas on how I can stop this or what I have got wrong with my code (or even how its being done in the first place!)
Thanks!
[CODE]
if (String(Request.Form("text")) != "") {
var str = String(Request.Form("text"))
var patt1 =/http/gi; // look for an upper or lower case http anywhere in the string
var input = (str.match(patt1)); //returns null for anything but "http" (false?)
}
if (input == null) {
var input1 = String(Request.Form("text")) // cos its not a http and returning null, get the string
sQry = "insert into test (text) values ('" + input1 + "')"; // update as normal but using the variable
// execute the update as normal
if (sQry != "") {
var upd = Server.CreateObject('ADODB.Command');
upd.ActiveConnection = constring;
upd.CommandText = sQry;
try {
upd.Execute();
} catch (e) {
msg = "Error "+ e.description;
}
}
}
else { } // cos its null - bin me and do nothing at all
[CODE]
I have an ASP JS website that inputs data to an MS-SQL express db and I’m trying to stop an on going sql injection attack on it. Every day I get hit my several attacks that put a random alphanumerical links into in my db.
1/ my input form is sanitized (with a js function) and protected with a basic turning test
2/ the form data is then posted to another page that checks for “http” in a field - inserts if http is false and does nothing at all if http is true
I have played for days now with the form and the url trying to emulate the attack but I can’t seem to replicate it, nor can I see how to stop it
Does any one have any ideas on how I can stop this or what I have got wrong with my code (or even how its being done in the first place!)
Thanks!
[CODE]
if (String(Request.Form("text")) != "") {
var str = String(Request.Form("text"))
var patt1 =/http/gi; // look for an upper or lower case http anywhere in the string
var input = (str.match(patt1)); //returns null for anything but "http" (false?)
}
if (input == null) {
var input1 = String(Request.Form("text")) // cos its not a http and returning null, get the string
sQry = "insert into test (text) values ('" + input1 + "')"; // update as normal but using the variable
// execute the update as normal
if (sQry != "") {
var upd = Server.CreateObject('ADODB.Command');
upd.ActiveConnection = constring;
upd.CommandText = sQry;
try {
upd.Execute();
} catch (e) {
msg = "Error "+ e.description;
}
}
}
else { } // cos its null - bin me and do nothing at all
[CODE]