Security | safety | security | Security is important for all applications. Security is especially important when a single error in a simple application can result in unauthorized access to the database or other enterprise resources. A common method of attack is to embed commands in the user's response, and filtering out these illegal characters from user input can prevent this attack.
Allowing users to enter illegal characters increases the chance that a user can cause problems. For example, many applications can accept user-added WHERE clauses in SQL commands. Malicious users execute the code on the database server by adding additional commands to the information they enter. For example, instead of entering "Smith" as a retrieval string, they enter "Smith"; EXEC Master.. xp_cmdshell ' dir *.exe '.
The following code is designed to handle multiple recordsets returned from the server. The user's input will contain an additional, unexpected execution command. When the NextRecordset method is invoked, the hidden malicious code is executed.
This attack can be avoided by filtering out the illegal characters in the user's input information (in the comment section). After doing so, the user's input is still allowed to be processed, but all illegal characters are cleared away.
Dim rst as Recordset
Dim Rst2 as Recordset
Dim Struserinput as String
Struserinput = "Smith"; EXEC Master.. xp_cmdshell ' dir *.exe '
' Filter input for invalid characters
Struserinput = Replace (Struserinput, "<", vbNullString)
Struserinput = Replace (Struserinput, ">", vbNullString)
Struserinput = Replace (Struserinput, "" "", vbNullString)
Struserinput = Replace (Struserinput, "'", vbNullString)
Struserinput = Replace (struserinput, "%", vbNullString)
Struserinput = Replace (Struserinput, ";", vbNullString)
Struserinput = Replace (Struserinput, "(", vbNullString)
Struserinput = Replace (Struserinput, ")", vbNullString)
Struserinput = Replace (Struserinput, "&", vbNullString)
Struserinput = Replace (struserinput, "+", vbNullString)
Struserinput = Replace (Struserinput, "-", vbNullString)
Set rst = New Recordset
Rst. ActiveConnection = "Provider=sqloledb;data source=sqlserver;" & _
"Initial catalog=pubs;integrated Security=sspi"
Rst. Open "SELECT * from authors WHERE au_lname = '" & Struserinput & _
"'", adOpenStatic
' Do something with recordset 1
Set Rst2 = rst. NextRecordset ()
' Do something with recordset 2
Embedding commands in the user's input is also a common tactic for attacking ASP Web applications, also known as Cross-site scripting attacks. Filtering the input and using Server.HTMLEncode and Server.URLEncode will help prevent such problems in your ASP application.
