General discussion

Locked

Removing illegal charachters

By martync ·
All the reading I've been doing tells me I have to make sure to remove any chance of 'SQL insertion' etc, into my forms, but can't find a practical example of how this is done in JScript.

I'm trying to use the 'replace' method to remove charactercombinations like '<%' etc.
sample code:

var vName = Request.form("name");
vName.Replace(/<%/, "");

returns error - Error Type:
Microsoft JScript runtime (0x800A138F)
Object expect

Where am I going wrong?

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

ideas on security from CGI

by Jay Eckles In reply to Removing illegal characht ...

Take a look at
http://www.jayeckles.com/cgi/security.html
It's the security section of my introduction to CGI. I know you're dealing with ASP, but many of the concepts are the same. Basically, what you want to do is determine what characters are acceptable as input to your program, and filter out all others. Before you do anything with the input from a form, look at each character, determine if it's part of the "acceptable" list, and if not, throw it away; otherwise, append it to the "safe" variable. Once you've done this for all your input, you then process the "safe" variable and throw away the original form input.

The alternative, throwing away characters you've identified as dangerous, leaves open the possibility that you have not identified all "bad" characters and you might still be open to attack.

To summarize, the task is not removing illegal characters; rather, it is retaining legal characters. Subtle but important distinction.

Jay

Back to Web Development Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums