Forums
The bug ticket complained, “When I try and update a certain page in the CMS, I get a ‘file not found’ error.” It included more details, explaining what page in specific was the culprit, but Michael was still confused. This application had been in use for over a decade, and no one had ever had a complaint like this. He also couldn’t replicate it, at least, not until he got the user to provide the specific text they were trying to use in the update.
As soon as he noticed the sentence: “Stop; declare your intent!”, he realized it must have something to do with their SQL injection protection .
'check for bad strings
function checkforbad(str)
dim bad
bad = false
'get rid of spaces
str = replace(str,"%20"," ")
str = replace(str,"+"," ")
str = replace(str," ","")
if instr(1, str,";DECLARE", 1) > 0 then bad= true
if instr(1, str,";SELECT", 1) > 0 then bad= true
if instr(1, str,";INSERT", 1) > 0 then bad= true
if instr(1, str,";UPDATE", 1) > 0 then bad= true
if instr(1, str,";DELETE", 1) > 0 then bad= true
if instr(1, str,";ALTER", 1) > 0 then bad= true
if instr(1, str,";DROP", 1) > 0 then bad= true
if instr(1, str,";CREATE", 1) > 0 then bad= true
if instr(1, str,";EXEC", 1) > 0 then bad= true
if instr(1, str,";TRUNCATE", 1) > 0 then bad= true
checkforbad = bad
end functionBut why on Earth was the error a 404 and not a, “Hey, don’t do this!” message, or at least a 500?
function checkforsqlinjection()
dim stoppage
stoppage = false
if checkforbad(urldecode(request.querystring())) then stoppage = true
if checkforbad(urldecode(request.form())) then stoppage = true
'so if there issql injection type code going on give them a 404 and don't go any further
if stoppage then
Response.Status = 404
Response.End
end if
end function
[Advertisement]
BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!