homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

Protecting classic ASP site against viruses

5+ Year Member

Msg#: 3992132 posted 12:39 pm on Sep 19, 2009 (gmt 0)


How can I protect Classic ASP site from viruses?

Need some suggestions...




WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month

Msg#: 3992132 posted 3:14 pm on Sep 19, 2009 (gmt 0)

I am assuming you keep the server patched with the latest patches released by Microsoft for the OS Version. Along with the other software installed on the software. And that you have a firewall in place to only allow access to the ports needed to run the webserver.

The next most common thing to protect a site is to prevent Injection attacks.

Some Links and pointers to see if your site is currently vulnerable to SQL Injection and related style attacks. And other links to help you fix the problems that you may find.

Microsoft Security Advisory (954462) [microsoft.com]


5+ Year Member

Msg#: 3992132 posted 2:00 pm on Sep 25, 2009 (gmt 0)

Hi, could this code protect against SQL injection? I found it after trying to find a way to combat same.

Put it in the head of the login.asp page.

'Declare MyUsername and MyPassword variables
Dim MyUsername, MyPassword
'get the username and password fields from your form

'Call the function IllegalChars to check for illegal characters
If IllegalChars(MyUsername)=True OR IllegalChars(MyPassword)=True Then
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "¦", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
End If
End function

I'd also love to know if there is any way that someone can get around this piece of code?


WebmasterWorld Senior Member 10+ Year Member

Msg#: 3992132 posted 3:04 pm on Sep 25, 2009 (gmt 0)

I suppose it would work, but it would be very annoying if I decided to have one of those characters in my password.

The best way to protect yourself from SQL injection is to use Stored Procedures or Parametrised Queries instead of inline SQL. And also follow the instructions in the link that Ocean10000 provided.


5+ Year Member

Msg#: 3992132 posted 12:06 am on Feb 1, 2010 (gmt 0)

I'm pretty sure that InStr by default does a case sensitive comparison

So it would not catch, "sElect", "drOp", "inseRt", "dElete", "xP_"

If that were the case then instead use
If Instr(sInput,sBadChars(iCounter),1)>0 Then


5+ Year Member

Msg#: 3992132 posted 12:23 pm on Feb 2, 2010 (gmt 0)

I've yet to see a virus attack classic ASP itself, and yet to come across any vulnerability with classic ASP.

The only vulnerability I've seen is with things like SQL, and people deliberately leaving back doors open.

type_of_search = 1 for a text, caseless search.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved