Asp Code help - Page 2

berklee · 03-28-2003, 03:00 PM

Or you could use PythonScript for ASP.

I'm just sayin'. :p

abc123 · 03-28-2003, 03:16 PM

Quote:

Originally posted by berklee
what about a simple select?

Select * from myTable where keyfield = 1

If that 1 is pulled from a page (say a drop-down list), you can build a page that makes a value:

<input type="hidden" name="keyfield" value="1;drop database test'">

.. well don't i look stupid.. you should always make sure integer values you expect only contain numbers then

rdove · 03-28-2003, 06:58 PM

Quote:

Originally posted by abc123
.. well don't i look stupid.. you should always make sure integer values you expect only contain numbers then

I totally agree..I would say something like:

Code:

Select * from myTable where keyfield = " & CInt(request.form("box"))

rdove · 03-28-2003, 07:03 PM

Quote:

Originally posted by berklee
That's certainly a good thing....

But what about when you run statements on a mySQL database that require the contents of text form fields?

For the record, I'm not trying to be a pain. If you can help me understand a relatively secure way to do this, it might change my opinions on mySQL.

Here is a little function I call in one of my create pages:

Code:

    dim Char_Array(31)
    
    Char_Array(0) = "~"
    Char_Array(1) = "`"
    Char_Array(2) = "!"
    Char_Array(3) = "@"
    Char_Array(4) = "#"
    Char_Array(5) = "$"
    Char_Array(6) = "%"
    Char_Array(7) = "^"
    Char_Array(8) = "&"
    Char_Array(9) = "*"
    Char_Array(10) = "("
    Char_Array(11) = ")"
    Char_Array(12) = "-"
    Char_Array(13) = "+"
    Char_Array(14) = "="
    Char_Array(15) = "/"
    Char_Array(16) = "\"
    Char_Array(17) = "|"
    Char_Array(18) = "]"
    Char_Array(19) = "["
    Char_Array(20) = "{"
    Char_Array(21) = "}"
    Char_Array(22) = "'"
    Char_Array(23) = ":"
    Char_Array(24) = ";"
    Char_Array(25) = "?"
    Char_Array(26) = ">"
    Char_Array(27) = "<"
    Char_Array(28) = "."
    Char_Array(29) = ","
    Char_Array(30) = """"
    
    'check the user name for invalid characters
    for i = 0 to 30
      Pos = instr(Request.Form("textbox"), Char_Array(i))
	  
      if Pos > 0 then
        Response.Redirect("page.asp?status=char")
      end if
    next

berklee · 03-30-2003, 05:50 PM

The only other thing I'd recommend would be copying the Form field value to a variable, so that it cuts processing power required to do the job (you won't be accessing a property of a component on each iteration of the loop).

PS - In a perfect world, this would be better handled in JavaScript. You could do one regexp pass and it would take way less overhead. Not that I've ever done it.

abc123 · 03-30-2003, 06:21 PM

you can do regexp in asp.

berklee · 03-30-2003, 08:37 PM

Yeah, but you have to instantiate a COM component to make it happen (with VBScript)

With Javascript, it's part of the language and wouldn't take up the overhead of creating a new object.

Server-side JScript would be the way to go.

abc123 · 03-30-2003, 09:07 PM

Quote:

Originally posted by berklee
Yeah, but you have to instantiate a COM component to make it happen (with VBScript)

With Javascript, it's part of the language and wouldn't take up the overhead of creating a new object.

Server-side JScript would be the way to go.

if you're concerned about speed, don't use asp