The bug ticket complained, “When I try and update a certain page in the CMS, I get a ‘file not found’ error.” It included more details, explaining what page in specific was the culprit, but Michael was still confused. This application had been in use for over a decade, and no one had ever had a complaint like this. He also couldn’t replicate it, at least, not until he got the user to provide the specific text they were trying to use in the update.

As soon as he noticed the sentence: “Stop; declare your intent!”, he realized it must have something to do with their SQL injection protection .


'check for bad strings
function checkforbad(str)
	dim bad
	bad = false
	'get rid of spaces
	str = replace(str,"%20"," ")
	str = replace(str,"+"," ")
	str = replace(str," ","")
	
	if instr(1, str,";DECLARE", 1) > 0 then bad= true
	if instr(1, str,";SELECT", 1) > 0 then bad= true
	if instr(1, str,";INSERT", 1) > 0 then bad= true
	if instr(1, str,";UPDATE", 1) > 0 then bad= true
	if instr(1, str,";DELETE", 1) > 0 then bad= true
	if instr(1, str,";ALTER", 1) > 0 then bad= true
	if instr(1, str,";DROP", 1) > 0 then bad= true
	if instr(1, str,";CREATE", 1) > 0 then bad= true
	if instr(1, str,";EXEC", 1) > 0 then bad= true
	if instr(1, str,";TRUNCATE", 1) > 0 then bad= true
	
	checkforbad = bad
end function

But why on Earth was the error a 404 and not a, “Hey, don’t do this!” message, or at least a 500?

function checkforsqlinjection()
	dim stoppage
	stoppage = false
	if checkforbad(urldecode(request.querystring())) then stoppage = true
	if checkforbad(urldecode(request.form())) then stoppage = true

	'so if there issql injection type code going on give them a 404 and don't go any further
	if stoppage then
		Response.Status = 404
		Response.End
	end if

end function