Hi Benoni,
Three rules that I live by that relate to these issues:
1. Client side (Jscript) filtering has nothing to do with security (it is
trivial to bypass it). It is used merely to inform the user what data is
acceptable in order to prevent wasted posts back to the server. In terms of
security, it's irrelevant whether or not users look at your Jscript; all
input must also be filtered on the server.
2. Never send server generated or ASP generated or SQL generated errors back
to the client; identify these errors in your code then send back your own
user-friendly message to the client.
3. I never let user input anywhere near my database unless I know exactly
what is in it. I check the user input in my .asp code (using regular
expressions), and if it doesn't conform to what I expect, I send back a
friendly message to the client.
Hope this helps,
Mike.
-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
Sent: Wednesday, October 06, 2004 1:26 AM
To: webappsec@securityfocus.com
Subject: Web Forms filtered with SQL constraints
Hi list !
I was wondering how to solve the 2 following problems: I have ASP (not
ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks
and other tricks, I have set up some Jscript filtering on each field (i.e.
for instance a name can just be alphabet's characters and no figures :) ),
and I am planning to do the same on my Database (setting up constraints).
But I have 2 questions:
- How can I hide my Jscript filtering from the user ? When I want to
see the source, everything is diaplayed, quite normal :( ... Maybe it's not
so good to tell people what I have done to filter them :) I saw some sites
where it is impossible to see the source, impossible to "hoover the site",
impossible even to print ... But I have not been able to find on the net how
to do this :(
- How can I deal with possible SQL errors within an ASP page ? I
mean, if a field has been filled in, bypass my Jscript filtering (no matter
how), and gets to the database but is then "stopped" by an SQL onstraint,
how do I raise this error on an ASP page without diplaying an explicit error
(giving the user the name of my database for instance) ?
Cheers for any clue, I am lost on this topic :(
========================================================================================
This email message and attachments are confidential to our organisation and
subject to legal privilege. If you have received this email in error, please
advise the sender immediately and destroy the message and any attachments. If
you are not the intended recipient you are notified that any use, distribution,
amendment, copying or any action taken or omitted to be taken in reliance of
this message or attachments is prohibited. You can read our Privacy Policy
here: <http://www.asbbank.co.nz/privacystatement.stm>
=========================================================================================
