Grapii » Forms http://www.grapii.com Personal Site of Raj Patel Mon, 06 Sep 2010 13:45:46 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Form security using SESSION.SESSIONID http://www.grapii.com/2008/01/form-security-using-sessionsessionid/ http://www.grapii.com/2008/01/form-security-using-sessionsessionid/#comments Fri, 18 Jan 2008 10:03:47 +0000 grapii http://www.grapii.com/?p=17 I’ve been having problems recently with attempted spamming exploits on my form to email scripts (i.e. users downloading forms, messing with them and then submitting them remotely to my form handling scripts) and thought I’d see if comparing the sessionID of the sending pages and form handling pages could help to weed out these fake submissions.

I also thought it would be even more secure if the I used a hashed version of the SessionID.

First I included the MD5 function in both the sending and form handling pages as it isn’t included with ASP

<!--#include file="md5.asp"-->

Then I defined a variable for the hashed SessionID

Dim strHashedSessionID
strHashedSessionID = MD5(Session.SessionID)

Next I added the hashed SessionID to the querystring of the form handling page

<form method="post" action="formhandler.asp?sender=">

On the form handling page, I added a server-side error message, generated only if the two values don’t match

<%
If Not Request.QueryString("sender") = strHashedSessionID Then
 Response.Write "Authentication error: Please re-sumbit the form"
End If
%>

Finally, if the two values do match, the email is sent

<%
If Request.QueryString("sender") = strHashedSessionID Then
 'send the email using CDOSYS
End If
%>

After adding some additional server-side form validation, I added the additional security scripting to my contact form.

]]> http://www.grapii.com/2008/01/form-security-using-sessionsessionid/feed/ 0 Reducing the Risk of SQL Injection Attack http://www.grapii.com/2008/01/reducing-the-risk-of-sql-injection-attack/ http://www.grapii.com/2008/01/reducing-the-risk-of-sql-injection-attack/#comments Fri, 11 Jan 2008 13:18:47 +0000 grapii http://www.grapii.com/?p=7 Databases can be compromised if they are open to SQL Injection Attack. Stripping invalid characters from form inputs will reduce this risk.

If you have a form on your site that interacts with a database (e.g. a username/password login form), you should secure the form by adding an additional stage between submission and the database look-up. One way to do this is to check for valid content.

As usenames and passwords are usually strings of alphanumeric characters, you can strip out ‘bad’ characters from the input string.
The easiest way to do this is to collect the form’s input and check each character against a regular expression, removing any that are invalid.

The code below removes all non-alphanumeric characters from the input string:

<%
'gets the text submitted via a form
Dim strUsername, strPassword
strUsername = Request.Form("username")
strPassword = Request.Form("password")

'call the function to use
strUsername = stripString(strUsername)
strPassword = stripString(strPassword)

'function to strip all non-alphnumric characters
function stripString(strInput)
 Dim objRE
 Set objRE = New RegExp
 With objRE
  .Pattern = "[^A-Za-z0-9]"
  .Global = True
 End With
 stripChars = objRE.Replace(strInput, "")
 Set objRE = nothing
End Function
%>
]]> http://www.grapii.com/2008/01/reducing-the-risk-of-sql-injection-attack/feed/ 0