comments on input attack artile

[Eli Allen]

I should probably do this tomorrow after sleeping so I can actually write
and run test code, but I just saw the article now so...

On page 1:
First, don't most people use VBscript to write ASP pages or maybe its just
me? (Yeah, I know its a minor point but it has more importance later on)

<youSaid>
SELECT count(*) FROM client WHERE (name='x' or 1) or ('1')
</youSaid>

Something's not right about the SQL statement. At least Query Analyzer on
MS SQL 7 doesn't like it with name being a varchar in a database called
client. It didn't produce any useful error message though (SELECT
count(*) FROM client by itself worked fine) But then you were using an
Access DB.

So the SQL statement will fail passing control to the catch part of your
code denying access

<youSaid>
the value of count(*) will always be one or greater
</youSaid>

No. If the table is empty how could it return something? (this is assuming
a good SQL statement)

page 2:
You said to change the 500-100 error message in order to not send
information to a possible hacker. Wouldn't the better solution be to change
the option in the IIS control panel under "Application Configuration" to
"Send text error message to client" instead of the default "Send detailed
ASP error messages to client"

It would seem like the more built in method would be better.

page 3:
This is where the differences between VBscript and Jscript are big.

First VBscript needs to create the RegEx object which Jscript doesn't need
so someone who uses VBscript and doesn't use regular expressions may have a
problem converting it.

Second, VBscript doesn't use / to make the end and beginning of the regular
expression but "

So it may be useful to point out the differences or at least that there are
differences more then putting a semicolon at the end of the line

<youSaid>
if (strName.search(/[^A-Za-z 0-9]/) != -1) return false;

This code will search strName and if it contains anything other than
uppercase letters, lowercase letters, whitespace , or numbers (that's what
the ^ means), then the input is rejected.
</youSaid>

Isn't it better style to use:
if (strName.match(/^[a-z 0-9]*$/i) = Null) return false;

Since that way your saying what the string has to be made up of instead of
what it can have in it. Then again I think I'm getting too tired from it
being late and converting between jscript and VBscript.

page 5:
Shouldn't you not depend on the order the SQL server gives you the data? So
things like:
oRS(0).Value
shouldn't be used and should be oRS('name')


You know there seemed to be real errors before I figured out how Jscript
works in terms of regular expressions.

Now if only it was possible to right a regular expression for a URL without
false bad matches. Its so hard to make good regular expressions that aren't
more restrictive then they have to be.
--
Eli Allen
eallen@bcpl.net

[Michael Howard]

"Eli Allen" <eallen@bcpl.net> wrote:

<snip>

yeah, there's a typo in the SQL statement. i'll fine tune the code tonite
and get the update posted.