Scrubbing forms to protect from XSS and SQL injections

Forum Moderators: open

Message Too Old, No Replies

Scrubbing forms to protect from XSS and SQL injections

Protection from XSS and SQL injections

Matman

8:45 pm on Feb 5, 2008 (gmt 0)

Currently I scrub all fields using this script:

function validateLastname(fld) {
//alert("inside");
var error = "";
var illegalChars = /[\(\)\<\>\,\;\:\\\/\"\'\[\]]/;

if (fld.value == "") {

error = "You didn't enter a Last Name.\n";
document.getElementById("flname").innerText = "Enter Last Name";
}
else if (illegalChars.test(fld.value)) {

error = "Last Name contains illegal characters.\n";
document.getElementById("flname").innerText = "Contains Illegal Characters";
} else {

document.getElementById("flname").innerText = "";

}
return error;
}

My question is should I be adding additional characters like ^ and & or anything else that would leave us open to attack?

Thanks!
Mat

[edited by: tedster at 12:53 am (utc) on Feb. 6, 2008]
[edit reason] fix formatting [/edit]

encyclo

3:34 pm on Feb 6, 2008 (gmt 0)

Welcome to WebmasterWorld Matman! Unfortunately, there is very little protection offered by client-side Javascript when it comes to XSS attacks. The attacker can simply disable Javascript. Same goes for automated attackes, the bots don't check the Javascript at all.

You must enforce the restrictions server-side (PHP, ASP, etc.), with the JS just used as a simple check before the form is submitted.

Matman

6:26 pm on Feb 6, 2008 (gmt 0)

Thanks encyclo for the reply. Obviously I have much to learn about these types of attacks and how to protect against them.

The site is written in ASP classic. Can you point me to where I might be able to find some sample code to protect against these types of attacks?

Thanks again!
Mat