views:

1080

answers:

5

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.

  • Are there any functions I should use?
  • Can you provide me with a good function for some basic protection?
  • Is there something like a parameterized query in asp?

Thanks!

+2  A: 

Always use Server.HTMLEncode to sanitize user input.

For example, if you're setting a variable from a form text box:

firstName = Server.HTMLEncode(trim(request.form("firstname")))

Don
+1  A: 

Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.

RedFilter
Yes idd, can i use parameterized queries in classic asp?
Sander Versluys
+1  A: 

There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.

svinto
+1  A: 

One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:

<%
    for each x in Request.Form ' Do this for Request.Querystring also
        If InStr(x,"<") <> 0 Then
         ' encode the value or redirect to error page?
        End If
    next
%>
The Request object is read-only so you couldn't directly edit the values, but I have for some projects created a Dictionary object into which I've dumped all the values from the incoming form, and those values can be manipulated any way you like...
Cirieno
+2  A: 

Sander,

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

Here is a link.

As for encoding output I might be tempted to wrapper latest Microsofts Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing spending much more time in .Net, so I only think this would work.

Server.HTMLEncode really is not good enough. It only blacklists off a few characters to encode. The Anti-XSS library whitelists what is acceptable.

Flory
Sébastien Nussbaumer