tags:

views:

160

answers:

2
Q: 

Escaping in VB script

What are the best ways (or at least most common ways) in ASP (VB script) for input handling? My main concerns are html/javascript injections & SQL injections. Is there some equivalent to php's htmlspecialchars or addslashes, et cetera? Or do I have to do it manualy with something like sring replace functions?

I'm sorry for asking such a trivial question but I'm pretty new to vbscript and I just have no time for trial/error method. Thank you in advance for your help

+3  A: 

The bottom line is this:

  1. Always HTML-encode user input before you write it to your page. Server.HTMLEncode() does that for you.
  2. Always use parameterized queries to interface with a database. The ÀDODB.Command and ADODB.CommandParameter objects are the right choice here.
  3. Always use the URLScan utility and IIS lockdown on the IIS server that renders the page, unless they are version 6 and up, which do not require these tools anymore.

If you stick to points 1 and 2 slavishly, I can't think of much that can go wrong.

Most vulnerabilities come from not properly encoding user input or building SQL strings from it. If you for some reason come to the point where HTML-encoding user input stands in your way, you have found a design flaw in your application.

Tomalak  2008-11-11 07:41:17
What if your form accepted content that was going to be published via some medium other than the web -- eg a magazine. You wouldn't want HTML-encoded characters then. Sometimes the input has to be kept as clean and original as possible if you don't know where it will wind up.
Cirieno  2008-12-08 16:13:08
Tomalak  2008-12-08 17:30:29
+1  A: 

I would add to Tomalaks list one other point.

Avoid using concatenation of field values in SQL code. That is, in some cases a stored procedure may build some SQL in a string to subsequently execute. This is fine unless a textual field value is used as part of its construction.

A command parameter can protect SQL code designed to input a value from being hijacked into executing unwanted SQL but it allows such unwanted SQL to become data in the database. This is a first-level vunerability. A second-level injection vunerability exists if the field's value is then used in some SQL string concatenation inside a stored procedure.

Another consideration is that this is just minimal protection. All its doing is rendering attack attempts harmless. However in many cases it may be better to add to this a system which prevents such data entry altogther and/or alters admins to a potential injection attack.

This is where input validation becomes important. I don't know of any tools that do this for you but a few simple Regular Expressions might help. For example, "<\w+" would detect the attempt to include a HTML tag in the field.

AnthonyWJones  2008-11-11 10:40:31

related questions

asp consuming a web service, what do do with recordset object ?
How exactly do you configure httpOnly Cookies in ASP Classic?
Replace huge Case statement in Classic ASP
How do the CakePHP and codeigniter frameworks compare to the ASP.NET MVC framework?
Why do I get this error "[DBNETLIB][ConnectionRead (recv()).]General network error" with ASP pages
ASPSmartUpload v3.2
Are there benefits to Classic ASP over ASP.net
Why continue writing legacy systems?
Remote Debugging Server Side of a Web Application with Visual Studio 2008
Migrating from ASP Classic to .NET and pain mitigation
VBScript/ASP Classic
What is this 'Multiple-step OLE DB' error?
Code Classic ASP in Linux
How do I secure a folder used to let users upload files?
ASP/VBScript - Int() vs CInt()
What's the best way to manage a classic asp front-end using Visual Studio 2008?
Calling ASP.NET web service from ASP using SOAPClient
IIS 6/COM+ hangs
Select Query on 2 tables, on different database servers
Calling REST web services from a classic asp page
How to run remote shell scripts from ASP pages?
What is the IDE for classic ASP and VBScript?
Using ConfigurationManager to load config from an arbitrary location
What is the best way to iterate through an array in Classic Asp VBScript?
How do I build a collection in classic ASP?