Good way to sanitize input in classic asp

security asp-classic sanitization
13,060

Solution 1

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

Here is a link.

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.

Solution 2

Always use Server.HTMLEncode to sanitize user input.

For example, if you're setting a variable from a form text box:

firstName = Server.HTMLEncode(trim(request.form("firstname")))

Solution 3

Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.

Solution 4

There is a bunch of functions starting with Is, such as IsNumber, IsArray etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla")) to get it, thus if it's not a integer the CLng function will raise an error.

Solution 5

One way to do it might be to add a check in a header.asp file that iterates through the Request object looking for inappropriate characters. For example:

<%
    for each x in Request.Form ' Do this for Request.Querystring also
        If InStr(x,"<") <> 0 Then
            ' encode the value or redirect to error page?
        End If
    next
%>
Share:
13,060
Sander Versluys
Author by

Sander Versluys

I may not have gone where I intended to go, but I think I have ended up where I needed to be. - Douglas Adams about.me/sanderversluys

Updated on June 05, 2022

Comments

  • Sander Versluys
    Sander Versluys almost 2 years

    I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.

    • Are there any functions I should use?
    • Can you provide me with a good function for some basic protection?
    • Is there something like a parameterized query in asp?

    Thanks!

    • Joel Coehoorn
      Joel Coehoorn over 12 years
      "Sanitize" is the wrong way to think about the problem.
  • Sander Versluys
    Sander Versluys over 15 years
    Yes idd, can i use parameterized queries in classic asp?
  • Cirieno
    Cirieno over 15 years
    The Request object is read-only so you couldn't directly edit the values, but I have for some projects created a Dictionary object into which I've dumped all the values from the incoming form, and those values can be manipulated any way you like...
  • Sébastien Nussbaumer
    Sébastien Nussbaumer over 14 years
    +1 for wrapping Microsoft Anti-XSS library. After much trial & error this is what we ended up doing.
  • Joel Coehoorn
    Joel Coehoorn over 12 years
    In other words: you don't sanitize it. You quarantine it to it's own place where there's no danger it can be treated as code.
  • Michiel van der Blonk
    Michiel van der Blonk over 9 years
    Actually you should never sanitize input using HTMLEncode. This is only useful for sanitizing output. There is no guarantee the input is to be displayed by a web browser. The only thing that you need to protect from is SQL injection (so, e.g. the single quote char and the semicolon). Even better is to require e.g. an int using CLNG in a query parameter.
  • eliteproxy
    eliteproxy about 3 years
    Be careful using CreateObject to invoke COM resources on server applications. When other users activate the same, it instantiates multiple processes and can cause resource and rights issues that can lead to 500 errors.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

authorization: application pool identity cannot access path
Recommended hash for passwords in ASP Classic
Javascript XSS Prevention
Sanitize file path in PHP
Classic ASP SQL Injection Protection
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
how sanitize input codeigniter 3?
How to allow specific characters with OWASP HTML Sanitizer?
.NET libraries to sanitize input?
Forming sanitary shell commands or system calls in Ruby