Classic ASP Discussion - Sanitize inputs

Sanitize inputs

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Classic ASP Discussion
Forum Description: Discussion on Active Server Pages (Classic ASP).
URL: https://forums.webwiz.net/forum_posts.asp?TID=27924
Printed Date: 29 March 2026 at 3:06pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Sanitize inputs

Posted By: karp13
Subject: Sanitize inputs
Date Posted: 09 October 2009 at 3:45pm

Can someone point me in the right direction for an asp function/script to sanitize form inputs and querystrings? I want to prevent both SQL injection and XSS attacks.

Replies:

Posted By: stevesensei
Date Posted: 21 October 2009 at 2:32am

I've been using this for well over a year now and have not has a site hacked into yet:

Use it like this:

firstName = Clean String(RequestForm("firstname"))

The script has the means to both log the hack attempt to a text file, redirect the hacker to a safe page and also the ability to email you of the attempt. Make sure you write-enable the folder with the log file. If you need help, email me at steve@stevegreenstein.com

Function CleanString(s)
If ((Not IsNull(s)) And (s <> "")) Then
     tmp = Replace(Trim(s), "'", "''")
          tmp = Replace(tmp, """", """)
          CleanString = CompareInput(tmp)
     End If
End Function

' check against all known bad things that can be used in SQL injection
' and for good measure, check for b.js as this is what the current round
' of hacks uses…
' Now, note that from the logs captured, the hacks are nearly 100% in hex
' but still some keywords must be plain and this function should catch it
function CompareInput(str)
dim tmp
     tmp = str
     tmp = filterInput(tmp, "/script")
     tmp = filterInput(tmp, "insert into")
     tmp = filterInput(tmp, "delete from")
     tmp = filterInput(tmp, "drop table")
     tmp = filterInput(tmp, "exec(")
     tmp = filterInput(tmp, "declare")
     tmp = filterInput(tmp, "cast(")
     tmp = filterInput(tmp, "varchar")
     tmp = filterInput(tmp, "sp_")
     tmp = filterInput(tmp, "xp_")
     tmp = filterInput(tmp, "@@")
     tmp = filterInput(tmp, "--")
     tmp = filterInput(tmp, ";")
     tmp = filterinput(tmp, "b.js")
tmp = filterinput(tmp, "ngg.js")
tmp = filterinput(tmp, "q.js")
tmp = filterinput(tmp, "js.js")
tmp = filterinput(tmp, "script.js")
     CompareInput = tmp
End function

' if any of the things checked against ARE in the user data that
' came from the form or query string, log the hack and redirect hacker
' so your code does not continue and does the SQL. But if data is
' clean the function returns
function filterInput(str, filterStr)
if instr(lcase(str), filterStr) <> 0 then
     logTheHack(str)
  ' Send email.................
  Set MyCDO = Server.CreateObject("CDONTS.NewMail")
  If IsObject (MyCDO) Then
   MyCDO.From = "do-not-reply@" & left(Request.ServerVariables("SERVER_NAME"),4)
   MyCDO.To = " mailto:youremail@yourdomain.com" rel="nofollow - youremail@yourdomain.com "
   MyCDO.Subject = "Attempted Hacking Attack at " & Request.ServerVariables("SERVER_NAME")

   TBdy = "String used in hacking attempt: " & str & Chr(13) & Chr(10)
   TBdy = TBdy & "Here is the IP: " & Request.ServerVariables("REMOTE_ADDR") & Chr(13) & Chr(10)
       TBdy = TBdy & "Web Page: " & Request.ServerVariables("URL") & Chr(13) & Chr(10)

   MyCDO.Body = TBdy
   MyCDO.Send
   Set MyCDO = nothing
  End If
   '............................
          Response.Redirect "http://" & Request.ServerVariables("SERVER_NAME") & "/hackRedirect.asp" ' redirect hacker
          else
          filterInput = str
     end if
end function

' this function will log the hack with all server variables
' so you can get lots of info on the hacker
sub logTheHack(s)
set fso = server.createobject("scripting.filesystemobject")
     set wf = fso.opentextfile(server.mappath("..\logs\logHack.txt"), 8, true)
     wf.writeline(Now)
     wf.writeline("----------------------------")
     for each x in Request.ServerVariables
     wf.writeline(x & ": " & Request.ServerVariables(x))
          next
     wf.writeline("----------------------------")
     wf.writeline(")" & vbcrlf & s & vbcrlf)
     wf.writeline("============================")
     wf.close
     set wf = nothing
     set fso = nothing
end sub

Posted By: wistex
Date Posted: 18 January 2010 at 12:14pm

Thanks, this is exactly what I was looking for.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: stevesensei
Date Posted: 19 January 2010 at 5:15pm

I have some code to protect against cross site scripting but have not had a chance to add it yet. Also, the tmp strings should be updated periodically to add new hacking strings. There are a couple of blogs out there about SQL injection attacks and I use them to find new hacking strings to add to the filter.

Posted By: wistex
Date Posted: 20 January 2010 at 1:53pm

I tried it, but if any of the offending substrings are in there, it gives a 500 error instead of completing.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: stevesensei
Date Posted: 20 January 2010 at 3:48pm

Make sure the file in this line (logHack.txt).....

set wf = fso.opentextfile(server.mappath("..\logs\logHack.txt"), 8, true)

.....actually exists and the folder it's in is write enabled.

Also, if you're using IE, uncheck "Show Friendly HTTP Error Messages" in your options. This will give you the actual error (if any) and line number of the error in the file