Good way to sanitize input in classic asp
Solution 1
Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).
Here is a link.
As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.
Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.
Solution 2
Always use Server.HTMLEncode to sanitize user input.
For example, if you're setting a variable from a form text box:
firstName = Server.HTMLEncode(trim(request.form("firstname")))
Solution 3
Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.
Solution 4
There is a bunch of functions starting with Is, such as IsNumber
, IsArray
etcetera, that might be of interest. Also if you're expecting a integer, you could use CLng(Request("blabla"))
to get it, thus if it's not a integer the CLng function will raise an error.
Solution 5
One way to do it might be to add a check in a header.asp
file that iterates through the Request
object looking for inappropriate characters. For example:
<%
for each x in Request.Form ' Do this for Request.Querystring also
If InStr(x,"<") <> 0 Then
' encode the value or redirect to error page?
End If
next
%>
Sander Versluys
I may not have gone where I intended to go, but I think I have ended up where I needed to be. - Douglas Adams about.me/sanderversluys
Updated on June 05, 2022Comments
-
Sander Versluys almost 2 years
I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.
- Are there any functions I should use?
- Can you provide me with a good function for some basic protection?
- Is there something like a parameterized query in asp?
Thanks!
-
Joel Coehoorn over 12 years"Sanitize" is the wrong way to think about the problem.
-
Sander Versluys over 15 yearsYes idd, can i use parameterized queries in classic asp?
-
Cirieno over 15 yearsThe Request object is read-only so you couldn't directly edit the values, but I have for some projects created a Dictionary object into which I've dumped all the values from the incoming form, and those values can be manipulated any way you like...
-
Sébastien Nussbaumer over 14 years+1 for wrapping Microsoft Anti-XSS library. After much trial & error this is what we ended up doing.
-
Joel Coehoorn over 12 yearsIn other words: you don't sanitize it. You quarantine it to it's own place where there's no danger it can be treated as code.
-
Michiel van der Blonk over 9 yearsActually you should never sanitize input using HTMLEncode. This is only useful for sanitizing output. There is no guarantee the input is to be displayed by a web browser. The only thing that you need to protect from is SQL injection (so, e.g. the single quote char and the semicolon). Even better is to require e.g. an int using CLNG in a query parameter.
-
eliteproxy about 3 yearsBe careful using CreateObject to invoke COM resources on server applications. When other users activate the same, it instantiates multiple processes and can cause resource and rights issues that can lead to 500 errors.