Welcome to WebmasterWorld Guest from 54.145.39.186

Forum Moderators: ocean10000

Message Too Old, No Replies

Protecting classic ASP site against viruses

     

abidshahzad4u

12:39 pm on Sep 19, 2009 (gmt 0)

5+ Year Member



Hi

How can I protect Classic ASP site from viruses?

Need some suggestions...

thanks

Ocean10000

3:14 pm on Sep 19, 2009 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



I am assuming you keep the server patched with the latest patches released by Microsoft for the OS Version. Along with the other software installed on the software. And that you have a firewall in place to only allow access to the ports needed to run the webserver.

The next most common thing to protect a site is to prevent Injection attacks.

Some Links and pointers to see if your site is currently vulnerable to SQL Injection and related style attacks. And other links to help you fix the problems that you may find.

Microsoft Security Advisory (954462) [microsoft.com]

KRMwebdesign

2:00 pm on Sep 25, 2009 (gmt 0)

5+ Year Member



Hi, could this code protect against SQL injection? I found it after trying to find a way to combat same.

Put it in the head of the login.asp page.

<%
'Declare MyUsername and MyPassword variables
Dim MyUsername, MyPassword
'get the username and password fields from your form
MyUsername=Request.Form("username")
MyPassword=Request.Form("password")

'Call the function IllegalChars to check for illegal characters
If IllegalChars(MyUsername)=True OR IllegalChars(MyPassword)=True Then
Response.redirect("no_access.asp")
End If

'Function IllegalChars to guard against SQL injection
Function IllegalChars(sInput)
'Declare variables
Dim sBadChars, iCounter
'Set IllegalChars to False
IllegalChars=False
'Create an array of illegal characters and words
sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _
"#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "¦", "declare", "convert")
'Loop through array sBadChars using our counter & UBound function
For iCounter = 0 to uBound(sBadChars)
'Use Function Instr to check presence of illegal character in our variable
If Instr(sInput,sBadChars(iCounter))>0 Then
IllegalChars=True
End If
Next
End function
%>

I'd also love to know if there is any way that someone can get around this piece of code?

marcel

3:04 pm on Sep 25, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I suppose it would work, but it would be very annoying if I decided to have one of those characters in my password.

The best way to protect yourself from SQL injection is to use Stored Procedures or Parametrised Queries instead of inline SQL. And also follow the instructions in the link that Ocean10000 provided.

aish1108

12:06 am on Feb 1, 2010 (gmt 0)

5+ Year Member



I'm pretty sure that InStr by default does a case sensitive comparison
[w3schools.com...]

So it would not catch, "sElect", "drOp", "inseRt", "dElete", "xP_"

If that were the case then instead use
If Instr(sInput,sBadChars(iCounter),1)>0 Then

Seb7

12:23 pm on Feb 2, 2010 (gmt 0)

5+ Year Member



I've yet to see a virus attack classic ASP itself, and yet to come across any vulnerability with classic ASP.

The only vulnerability I've seen is with things like SQL, and people deliberately leaving back doors open.

--
instr(num_start,str_to_be_search,str_searching_with,type_of_search)
type_of_search = 1 for a text, caseless search.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month