This is a the start of a series of articles about how to protect your Login from User Input.
what i'm going to demonstrate here of course is not the only way to do it, or the best way to protect your website, although it can prevent people from playing on your site
Problem
Many of us including me (till i found out) uses the "select * form tblMembers where userid='" & Request.form("userid") & "' AND Password='" & Request.form("Password") & "'"
Now let's imagine what would be the case if some one guessed the userid to be admin and the password let's try ' OR True ', OH he got into the website and with the admin's permission, then what if you got a backfront system that you use to edit, delete website content, only you can imagine what can be done.
Solution
What if you can just filter the user input, this would solve the problem because users can no longer enter ' or even spaces so down there is the code
| Filter.asp |
<%
Dim strFilterPrompt
Dim Filterstatus
Dim array322(28)
array322(0) = "'"
array322(1) = " "
array322(2) = "<"
array322(3) = "&"
array322(4) = "."
array322(5) = ","
array322(6) = "/"
array322(7) = "\"
array322(8) = "?"
array322(9) = "!"
array322(10) = "~"
array322(11) = "`"
array322(12) = "*"
array322(13) = "@"
array322(14) = "#"
array322(15) = "$"
array322(16) = "%"
array322(17) = "^"
array322(18) = "("
array322(19) = ")"
array322(20) = "}"
array322(21) = "{"
array322(22) = "]"
array322(23) = "["
array322(24) = "+"
array322(25) = "="
array322(26) = "|"
array322(27) = ";"
array322(28) = ":" |
First we obtain a list of invalid characters, the characters that we don't want user to be able to input...
Then the below function checks to see if any of these characters have been entered, if there is we are going to fill the strFilterPrompt with the error message that will appear for the user and loop till finished
| Filter.asp - continued |
function CheckFilter(strValues, strNames)
Dim i,j
Dim ValuesArray, NamesArray
strFilterPrompt = " "
ValuesArray = split(strValues, ",", -1, 1)
NamesArray = split(strNames, ",", -1, 1)
for j=lbound(ValuesArray) to ubound(ValuesArray)
Filterstatus = True
for i=lbound(array322) to ubound(array322)
if InStr(ValuesArray(j), array322(i)) > 0 then
Filterstatus = False
end if
next
S
If FilterStatus = False then
strFilterPrompt = strFilterPrompt & "Please enter a vaild " & NamesArray(j) & "<br>"
end if
next
End function
%>
|
This is the page that calls this function, it can be any page that deals with user input
| login.asp |
<%
<!--#include file="filter.asp"-->
Dim strUser, strPWD
strUser = Server.HTMLEncode(request.form("UserID"))
strPWD = Server.HTMLEncode(request.Form("Password"))
Call CheckFilter(strUser & "," & strPWD, "UserID,Password")
if strFilterPrompt <> " " then
Response.write strFilterPrompt
else
'Login Code
End if %>
|