Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Web Forms filtered with SQL constraints
From: Ian (webappsec2fishnet.co.uk)
Date: Wed Oct 06 2004 - 03:52:03 CDT
On 5 Oct 2004 at 13:25, Bénoni MARTIN wrote:
> Hi list !
> I was wondering how to solve the 2 following problems: I have ASP (not
> ASP.NET) formulaires people have to fill in. To avoid SQ injection attacks
> and other tricks, I have set up some Jscript filtering on each field (i.e.
> for instance a name can just be alphabet's characters and no figures :) ),
> and I am planning to do the same on my Database (setting up constraints).
> But I have 2 questions: - How can I hide my Jscript filtering from the
> user ? When I want to see the source, everything is diaplayed, quite
> normal :( ... Maybe it's not so good to tell people what I have done to
> filter them :) I saw some sites where it is impossible to see the source,
> impossible to "hoover the site", impossible even to print ... But I have
> not been able to find on the net how to do this :(
> - How can I deal with possible SQL errors within an ASP page ? I mean, if
> a field has been filled in, bypass my Jscript filtering (no matter how),
> and gets to the database but is then "stopped" by an SQL onstraint, how do
> I raise this error on an ASP page without diplaying an explicit error
> (giving the user the name of my database for instance) ?
> Cheers for any clue, I am lost on this topic :(
Using classic ASP with vbscript you would add this to the top of the page:
<% on error resume next %>
Then after every SQL query:
if err then
Response.write "There was a database error"
' Log to error to file
I think the equivalent in JScript is the Try, Catch, Finally:
Hope this helps