A fundamental problem with your approach is that the point
of filtering client-side input is that you cannot trust the client.
You can't trust the user, and you can't trust the software
she is running. Who is to say that whatever client-side
tricks you use to ostensibly hide the page source from
the user can't be bypassed by the user? It may be as simple
as disabling javascript or using a different user-agent, or
in the worst case simply grabbing the source to a browser
and hacking away at it. (Mozilla/Firefox come to mind.)
While client-side input validation may have its uses, those
uses do NOT include filtering for security exploits. Always
assume that the user/user-agent may submit anything he/she/it
wishes to your server-side applications. Your server-side
should never trust anything from the client without validating
it first. EVER.
There are custom proxies that make it simple to submit arbitrary
data into input fields. They're simple to use, and free.
See http://www.onlamp.com/pub/a/php/2004/01/22/php_proxy.html
for a great article on the subject.
Regards,
Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts@deforest.k12.wi.us>
console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device
for displaying or printing condolances or obituaries for the operator.
-- Stan Kelly-Bootle, The Computer Contradictionary.
Bénoni MARTIN <Benoni.MARTIN@libertis.ga> 10/05/04 07:25AM >>>
Hi list !
I was wondering how to solve the 2 following problems: I have ASP (not ASP.NET)
formulaires people have to fill in. To avoid SQ injection attacks and other
tricks, I have set up some Jscript filtering on each field (i.e. for instance a
name can just be alphabet's characters and no figures :) ), and I am planning
to do the same on my Database (setting up constraints).
But I have 2 questions:
- How can I hide my Jscript filtering from the user ? When I want to
see the source, everything is diaplayed, quite normal :( ... Maybe it's not so
good to tell people what I have done to filter them :) I saw some sites where
it is impossible to see the source, impossible to "hoover the site", impossible
even to print ... But I have not been able to find on the net how to do this :(
- How can I deal with possible SQL errors within an ASP page ? I mean,
if a field has been filled in, bypass my Jscript filtering (no matter how), and
gets to the database but is then "stopped" by an SQL onstraint, how do I raise
this error on an ASP page without diplaying an explicit error (giving the user
the name of my database for instance) ?
Cheers for any clue, I am lost on this topic :(
