Re: Slightly OT: VBScript / ASP question

Greg Stark ( )
12 May 1998 09:50:56 -0400

"Bill Appledorf" <> writes:
> If you haven't encountered these problems yet, don't worry about it. When
> you do, you have the solution.

On the contrary, even if you haven't seen a problem, you have a
problem. If you you unchecked data from the network in database
queries of any kind you have a severe security problem. It is very
important to make sure all data is escaped properly before use in an
SQL query of any kind, whether a SELECT, and UPDATE, or an INSERT.

The profusion of VBScript functions to accomplish this is a bit
surprising. They are unnecessary with the current scripting engine
versions because the "replace" function accomplishes pretty much the
same thing and generates far less garbage memory allocations. (Though
there were memory leaks in various string functions including replace,
I'm under the impression those bugs are fixed now.)

In other words:
field = replace(request("field"),"'","''")

Is more efficient, and much easier than writing functions to loop
through the string with mid() and instr().

I am leaning towards sending this to bugtraq as the prevailing opinion
seems to be that checking this data is an inconsequential feature, and
the security implications seem to have escaped most programmers. The
principle is a really basic one, ALL data received from untrusted
users MUST be checked completely before use in trusted contexts like
SQL queries.