Sunday 22 April 2007

ASP : Capturing SQL Injection attempts

if instr(Request.ServerVariables("QUERY_STRING"),"'") <> 0 THEN response.redirect "injectionattempt.asp?" & Request.ServerVariables("QUERY_STRING")
if instr(Request.ServerVariables("QUERY_STRING"),";") <> 0 THEN response.redirect "injectionattempt.asp?" & Request.ServerVariables("QUERY_STRING")
if instr(Request.ServerVariables("QUERY_STRING"),",") <> 0 THEN response.redirect "injectionattempt.asp?" & Request.ServerVariables("QUERY_STRING")

I use these lines at the top of pages that pass variables via the query string (the url itself). They search for ' , and ; which are characters which could break a sql query and enable someone to add a command into the sql being executed.

By calling injectionattempt.asp in this way I can capture the event and send myself an email letting me know this has occurred.

No comments: