Filter user input to improve security in ASP
[Date: 2003-12-23] Source: Author: [Font: Big Middle Small]
Safety is very important for all applications. One mistake in a simple application causes unauthorized access to the database or other enterprise resources, so security is especially important. A commonly used attack method is to embed the command into the user's response, and filtering out these illegal characters from the user input can prevent this attack. Allow users to enter illegal characters to increase opportunities for users to cause problems. For example, many applications can accept the WHERE clause that the user adds to the SQL command. Malicious users will perform the code on the database server by adding additional commands to the information you entered. For example, they are not entering "smith", as a search string, but input "smith '; exec master", "smith';" DIR * .EXE ". The following code is designed to handle multiple Recordset returned from the server. The user's input will contain an additional, unpredictable execution command. When the NEXTRECORDSET method is called, the hidden malicious code will be executed. This attack can be avoided by filtering out the illegal characters in the user input information (in the comment segment). After doing so, the user's input is still allowed to be processed, but all illegal characters are cleared.
