Wrox Programmer Forums
|
SQL Server ASP Discussions about ASP programming with Microsoft's SQL Server. For more ASP forums, see the ASP forum category.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the SQL Server ASP section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old August 21st, 2008, 06:49 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default Loopadd problem

Hi everyone

i am a new user of sql server and stuck with a very strange problem of database and website

here is a brief description of my prolem

i made a website using asp and sql server

but now days my database records gets updated automatically with a <script src=http://www.xxxx.ru/js.js></script> sort of scripts, containing different site links.

and in my database some of the fields contains page links and other hyperlink material, through with it get into hyperlink and spreads all over to my user's pc.

some link contains virus and and dont know where is the problem and how to get rid of it.

i am using dreamweaver cs3 and made my site into asp 3.0

dont know is this problem is of database security, asp or my pc related.

one more thing, that the only place where my database password written is my connection string file.

i tried to find the solution, but couldn't

if necessary will post my code

every bit of help will save my work.
it takes hours to clean that database again and again, and now plz someone help me...

thanks in advance

ashok sharma


 
Old August 21st, 2008, 01:45 PM
Friend of Wrox
 
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

You need to "clean" the user input *BEFORE* putting it into the database.

At a minimum, you should be clearing out <script> tags, but you probably want to get rid of most (or even all) HTML tags.

If you want to get rid of *ALL* HTML, it's pretty easy:

Code:
<%
...
' put these lines at top of ASP page ... 
' this is a regular expression that will zap *ALL* HTML tags
Set reZap = New RegExp
reZap.Pattern = "\<\/?[a-zA-Z][^\>]*\>"
reZap.Global = True

...
...
' then you can get any form field value 
value = Trim( Reqest("someFormField") )
' and "clean" it through the zapper this way:
value = reZap.Replace( value, "" )

' then you should also handle SQL injection (though DW is
' probably already doing that for you) something like this:
value = Replace( value, "'", "''" )

... ' and now value is ready to be used in your SQL statement ...
...
%>
If you can't figure out how to integrate that in your code, then show some of your code.
 
Old August 22nd, 2008, 12:49 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default

Hi,
Here is my asp part of coding
my site address : www.lotuseducation.co.in, if you want to have a look.

if you want to see inner pages: plz feel free to visit with this


and thanks for your reply, it gave me lot of support and encouragement

ashok sharma
***************************

<% if Session("LoginStatus") = "LotusStudent" then %>
<% Response.Buffer=true
        Response.ExpiresAbsolute=0
%>
<%
dim LinkID, SubID, OptID
if Request.QueryString("LinkID")<>"" then
    LinkID = Request.QueryString("LinkID")
else
LinkID = ""
end if

if Request.QueryString("SubID")<>"" then
    SubID = Request.QueryString("SubID")
else
    SubID = ""
end if

if Request.QueryString("OptID")<>"" then
    OptID = Request.QueryString("OptID")
else
    OptID = ""
end if

%>

<%
Dim ObjPageLinksLSMainInbox__TabID
ObjPageLinksLSMainInbox__TabID = "LSMInBox"
If (Request.querystring("TabID") <> "") Then
ObjPageLinksLSMainInbox__TabID = Request.querystring("TabID")
End If
%>

<%
Dim ObjPageLinksLSMainInbox
Dim ObjPageLinksLSMainInbox_numRows

Set ObjPageLinksLSMainInbox = Server.CreateObject("ADODB.Recordset")
ObjPageLinksLSMainInbox.ActiveConnection = MM_Connection_STRING
ObjPageLinksLSMainInbox.Source = "SELECT * FROM dbo.PageLinks WHERE ( LinkMainTab ='" + Replace(ObjPageLinksLSMainInbox__TabID, "'", "''") + "' or LinkMainTab = 'Common Links' or LinkMainTab = 'Notice Board')"
ObjPageLinksLSMainInbox.CursorType = 0
ObjPageLinksLSMainInbox.CursorLocation = 2
ObjPageLinksLSMainInbox.LockType = 1
ObjPageLinksLSMainInbox.Open()

ObjPageLinksLSMainInbox_numRows = 0
%>

<%
Dim ObjMyResults__SID
ObjMyResults__SID = "06JPR000001"
If (Session("LoginID") <> "") Then
ObjMyResults__SID = Session("LoginID")
End If
%>

<%
if OptID = "Results" then
    Dim ObjMyResults
    Dim ObjMyResults_numRows

    Set ObjMyResults = Server.CreateObject("ADODB.Recordset")
    ObjMyResults.ActiveConnection = MM_Connection_STRING
    ObjMyResults.Source = "SELECT dbo.ResultsPath.TestName, dbo.ResultsPath.FilePath FROM dbo.Results, ResultsPath WHERE ( StudentID = '" + Replace(ObjMyResults__SID, "'", "''") + "' ) and dbo.results.TestNo = dbo.ResultsPath.TestNo"
    ObjMyResults.CursorType = 0
    ObjMyResults.CursorLocation = 2
    ObjMyResults.LockType = 1
    ObjMyResults.Open()

    ObjMyResults_numRows = 0
end if
%>

<%
Dim Repeat1__numRows
Dim Repeat1__index

Repeat1__numRows = -1
Repeat1__index = 0
ObjPageLinksLSMainInbox_numRows = ObjPageLinksLSMainInbox_numRows + Repeat1__numRows
%>

<%
Dim Repeat3__numRows
Dim Repeat3__index

Repeat3__numRows = -1
Repeat3__index = 0
ObjMyResults_numRows = ObjMyResults_numRows + Repeat3__numRows
%>

<%
Dim Repeat2__numRows
Dim Repeat2__index

Repeat2__numRows = -1
Repeat2__index = 0
ObjPageLinksLSMainInbox_numRows = ObjPageLinksLSMainInbox_numRows + Repeat2__numRows
%>

<%
Dim RepeatNoticeBoard__numRows
Dim RepeatNoticeBoard__index

RepeatNoticeBoard__numRows = -1
RepeatNoticeBoard__index = 0
ObjPageLinks_numRows = ObjPageLinks_numRows + RepeatNoticeBoard__numRows
%>

</head>

<body>
<div id="MainBox">
<div id="ThreeColumns">
<div id="Section1">
<div id="RoundRect_1">
<h2>Main Options</h2>
<div id="RRect_1">
    [list]
    <%
    While ((Repeat2__numRows <> 0) AND (NOT ObjPageLinksLSMainInbox.EOF))
    if ((ObjPageLinksLSMainInbox.Fields.Item("LinkSubTab" ).Value) = "Main")
        then
    %>
    <li><a href=<%=(ObjPageLinksLSMainInbox.Fields.Item("Link HRef").Value)%>><%=(ObjPageLinksLSMainInbox.Fields .Item("LinkText").Value)%></a></li>
    <%
    end if
    Repeat2__index=Repeat2__index+1
    Repeat2__numRows=Repeat2__numRows-1
    ObjPageLinksLSMainInbox.MoveNext()
    Wend
    %>
    </ul>

    </div>
</div>

<div id="BottomRect_1">
</div>

<div id="RoundRect_1">
<h2>Available Options</h2>
    <% if OptID = "Results" then%>
    <div id="RRect_1">
    [list]
        <%
    if not ObjMyResults.BOF then
    ObjMyResults.Movefirst()
    While ((Repeat3__numRows <> 0) AND (NOT ObjMyResults.EOF))
    %>
    <li><a href=<%=(ObjMyResults.Fields.Item("FilePath").Valu e)%> target="_blank" ><%=(ObjMyResults.Fields.Item("TestName").Value)%> </a></li>
    <%
    Repeat3__index=Repeat3__index+1
    Repeat3__numRows=Repeat3__numRows-1
    ObjMyResults.MoveNext()
    Wend
    else
    Response.Write("<LI>No result found</LI>")
    end if
    %>
     </ul>
</div>
    <% else %>
    <div id="RRect_1">
    [list]
    <%
    ObjPageLinksLSMainInbox.movefirst()
    While ((Repeat1__numRows <> 0) AND (NOT ObjPageLinksLSMainInbox.EOF))
    if ((ObjPageLinksLSMainInbox.Fields.Item("LinkSubTab" ).Value) = LinkID) then
    %>
    <li><a href=<%=(ObjPageLinksLSMainInbox.Fields.Item("Link HRef").Value)%>><%=(ObjPageLinksLSMainInbox.Fields .Item("LinkText").Value)%></a></li>
    <%
    end if
    Repeat1__index=Repeat1__index+1
    Repeat1__numRows=Repeat1__numRows-1
    ObjPageLinksLSMainInbox.MoveNext()
    Wend
    %>
     </ul>
    </div>
    <%end if %>
</div>

<div id="BottomRect_1">
</div>


<div id="RoundRect_1">
<h2>Lotus Info Zone</h2>
    <div id="RRect_1">
    [list]
    <%
    ObjPageLinksLSMainInbox.movefirst()
    While ((Repeat1__numRows <> 0) AND (NOT ObjPageLinksLSMainInbox.EOF))
    if ((ObjPageLinksLSMainInbox.Fields.Item("LinkMainTab ").Value) = "Common Links") then
    %>
    <li><a href=<%=(ObjPageLinksLSMainInbox.Fields.Item("Link HRef").Value)%>><%=(ObjPageLinksLSMainInbox.Fields .Item("LinkText").Value)%></a></li>
    <%
    end if
    Repeat1__index=Repeat1__index+1
    Repeat1__numRows=Repeat1__numRows-1
    ObjPageLinksLSMainInbox.MoveNext()
    Wend
    %>
     </ul>

</div>
</div>

<div id="BottomRect_1">
</div>


<div id="Section3">
<%Select case OptID
    case "Results-" %>
    <div id="BottomRound_1"></div>

    <% case "ComAna" %>
    <div id="BottomRound_1"></div>

    <% case "AnswerKey" %>
    <div id="BottomRound_1"></div>

    <% case "Summary" %>
    <div id="BottomRound_1"></div>

    <% case "MyOMR" %>
    <div id="BottomRound_1"></div>

    <% case "Top10" %>
    <div id="BottomRound_1"></div>

    <% case else %>
    <% end select %>

    <div id="RoundedRect">
    <h2>Just see, what's new in your Inbox today</h2>
    <div id="Contents">
    <div id="TableDisplay">
    [list]
    <%
    ObjPageLinksLSMainInbox.movefirst()
    While ((RepeatNoticeBoard__numRows <> 0) AND (NOT ObjPageLinksLSMainInbox.EOF))

    if ((ObjPageLinksLSMainInbox.Fields.Item("LinkMainTab ").Value) = "Notice Board") then
    %>
    <li><a href=<%=(ObjPageLinksLSMainInbox.Fields.Item("Link Href").Value)%> target="_blank"><Strong> <%=(ObjPageLinksLSMainInbox.Fields.Item("LinkSubTa b").Value)%> : </Strong><%=(ObjPageLinksLSMainInbox.Fields.Item("Li nkText").Value)%> </a></li>
    <%
    end if
    RepeatNoticeBoard__index=RepeatNoticeBoard__index+ 1
    RepeatNoticeBoard__numRows=RepeatNoticeBoard__numR ows-1
    ObjPageLinksLSMainInbox.MoveNext()
        Wend
        %>
    </ul>


    </div>
    </div>
    </div>
    <div id="BottomRound_1"></div>

</div>
</div>

<div id='footer'>
     <p><strong>Copyright &copy; 2006 Lotus Educare (P.)Limited. All Rights Reserved.</strong></p>
</div>
<% else
    Response.redirect("../../../../Default.asp")
        end if
%>
</div>
</body>

</html>
<%
ObjPageLinksLSMainInbox.Close()
Set ObjPageLinksLSMainInbox = Nothing
%>
<%
if OptID = "Results" then
ObjMyResults.Close()
Set ObjMyResults = Nothing
end if
%>
 
Old August 22nd, 2008, 01:20 AM
Friend of Wrox
 
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Problem is not on that page.

With DW, problem will be on a page where user enters data that gets stored into the DB.
 
Old August 22nd, 2008, 02:37 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default

Hi

that was amazingly fast reply, and i am very thankful to you for that,

as you said that the problem will be on a page where user enters data that gets stored into the DB

but in my site, i do not allow any user to input any form, i do not have any registration type form or any alike form. the only thing a user can do is to click a hyperlink witch is like : <a href="http://www.lotuseducation.co.in/xxxxx/xxxx/xxxx/xxxx/MainInbox.asp?OptID=Results"></a>. this link was made dynamically, and those values are stored in DB.

what i am doing in my site :
i stored all my links to the database with appropriate tabid, optid, and linkid

when user click on a link : like Home page : articles ---> it goes to articles.asp and there asp checks the those tabid, linkid, or optid and then prepares that hyperlinks accordingly to navigate into pages. thats it.

and for data input (like user registration : we generally upload tables through import wizard), no user input forms are used.

but on some page i wrote that check :

<% if Session("LoginStatus") = "" or Session("LogingStatus") <>"" then %>

to provide links for non-registered members

on that pages the code is like for this, just variable names are changed


was that problem due to this code

and once again i am so thankful to you for your support and valuable suggestions

thanks
ashok sharma


 
Old August 22nd, 2008, 01:21 PM
Friend of Wrox
 
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

Well, the problem *can* occur when all your code does is a SQL SELECT, but generally DreamWeaver creates VBScript code that protects against that.

For example, in this code:

ObjMyResults.Source = "SELECT dbo.ResultsPath.TestName, dbo.ResultsPath.FilePath " _
    & " FROM dbo.Results, ResultsPath " _
    & " WHERE ( StudentID = '" + Replace(ObjMyResults__SID, "'", "''") + "' ) " _
    & " and dbo.results.TestNo = dbo.ResultsPath.TestNo"

DW is using the simple
    Replace(ObjMyResults__SID, "'", "''")
to protect you against what is known as "SQL Injection".

So, as a general rule, if you can find a place where a SQL string is being created that does *NOT* use that kind of Replace call, that's a potential problem site.

On the page you showed, there are only two SQL statements, and both are correctly protected, which is why I said that I don't think this page is the culprit.

SO...

Try going through *all* your pages looking for SQL statements (of any kind) and see if any have omitted that kind of Replace usage.

Wish I could offer better advice, but for now that's where you'll have to start.
 
Old August 23rd, 2008, 12:07 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default

Hi

as you said, i found some earlier pages, which are not used now days, but still they are on my server, uses this sort of code :

<%
Dim ObjPageLinks
Dim ObjPageLinks_numRows

Set ObjPageLinks = Server.CreateObject("ADODB.Recordset")
ObjPageLinks.ActiveConnection = MM_Connection_STRING
ObjPageLinks.Source = "SELECT * FROM dbo.PageLinks WHERE ( LinkMainTab = 'About Us' or LinkMainTab = 'Common Links' or LinkMainTab = 'Notice Board')"
ObjPageLinks.CursorType = 0
ObjPageLinks.CursorLocation = 2
ObjPageLinks.LockType = 1
ObjPageLinks.Open()

ObjPageLinks_numRows = 0
%>

but these pages only resides on server, i did not provide any hyperlink to those pages, so that they could be accessible.

so plz guide me on some of the questions:
1. should i use views instead of writing direct queries to code.
2. or should i use stored procedures to fetch data
3. should i use any sql account (guest sort of) to fire sql queries. who do not have any update or delete or insert rights.
4. from where i can get resources for proper sql server handling.
5. and is it possible to access those pages which are on server, but do not have any direct hyperlink visibility.

finally thankx you friend for providing me your valuable support and guidance

ashok sharma




 
Old August 23rd, 2008, 01:48 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default

Hi,

found some more queries, are these problematic

1. PostsByMembers.Source = "SELECT xxxxID, xxxxName, xxxxTitle, xxxxLink, xxxxDate FROM dbo.xxxxxxxxxx_VIEW"


 
Old August 23rd, 2008, 02:16 PM
Friend of Wrox
 
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
Default

A query is only vulnerable to SQL Injection if it includes content that comes from the user (e.g., from Request.QueryString or Request.Form).

Neither of those last queries you showed do that.

Keep looking.
 
Old August 24th, 2008, 12:56 AM
Authorized User
 
Join Date: Feb 2006
Posts: 67
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Yahoo to beetle_jaipur
Default

ok, now i got the problem,

i am resending that tabid, optid, and linkid with query string and probably that content is not probably properly cleaned before sending to server. like :

<%
dim LinkID, SubID, OptID
if Request.QueryString("LinkID")<>"" then
    LinkID = Request.QueryString("LinkID")
else
LinkID = ""
end if
%>

and i am using the same value which i received from querystring to send it to server, may be anyone is sending values through those tabid, linkid and optids, and i am not checking that values in some of the queries.

thanks for your suggestion, now will work on it.
and plz guide me on some of the questions:
1. should i use views instead of writing direct queries to code.
2. or should i use stored procedures to fetch data
3. should i use any sql account (guest sort of) to fire sql queries. who do not have any update or delete or insert rights.
4. from where i can get resources for proper sql server handling.
5. and is it possible to access those pages which are on server, but do not have any direct hyperlink visibility.

thanks a lot

ashok sharma










Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.