All geek questions in one place

Is throwing dangerous in user-generated content in classic ASP?

The legacy web application I inherited, which was written specifically for Oxfam New Zealand in the classic ASP, replaces the string on user-nested input, removing the string "cast", presumably due to the translation function.

However, this means that none of our members can have a name or email address containing this string. This causes problems for someone with the last name Hardcastle.

This seems completely above top security - or at least there should be a way to ensure that user inputs are safe without changing the people’s entries with a “drop” in their name or email address.

Actual replacement is done with

strString = (Replace(strString, "cast", "", 1, -1, vbTextCompare))

I am only considering commenting on this line, would it be safe?

+3
source share
3 answers

I could change it to

strString = (Replace(strString, "cast(", "", 1, -1, vbTextCompare))

This way you still get "security" from SQL escaping, but you won’t aggravate users with their usernames

0
source

A legacy application does this incorrectly.

Instead of filtering the content in the source, the content should be encoded wherever it is used. In other words, if it is used in a query, the value will be encoded before it is added to the SQL statement, or better yet, but not placed in the stored procedure parameter.

, , , , strString .

+2

SQL-. 100 , . , , . "(" , CAST (.

See this question in parameterized queries in classic asp . You never want to combine the data provided by the user to create a sql string. There are ways to do this without concatenation that are true, but the code you currently have is useless. You can simply delete this line.

0
source

Source: https://habr.com/ru/post/1780123/

More articles:


All Articles