[thelist] Website Hacked?

Todd Richards todd at promisingsites.com
Wed May 28 21:53:13 CDT 2008

On Wednesday, May 28, 2008 7:38 PM, Chris Anderson wrote:
> That would obviously depend on language/platform being used. What are you
using again (in case I can help)?

Classic ASP, so it looks like some of your examples were valid for me!  :)

> Actually, it would have been okay - if you used the cleansed integer.
> (i.e. the value of the string *after* it had been converted to an integer)
> For example, if you used Val(id) in ASP to see if that converts without
> error, it will convert "300;INJECTED SQL" as 300.
> If you then use id in the SQL it will append "300;INJECTED SQL".  If
> however you did the following:
>	cleanId = Val(id)
>	Query = "select this from that where id =" & cleanId 
> It would have been fine, because cleanId will only hold an integer 
> (If using a type-safe language, converting the id to an integer variable
> then using that would be even safer)

OK, that does make more sense to me.  I was "checking" the ID, but then
using the same ID and not the "clean" version of it.  Doh!

> It depends on language/platform on *how* but the safest way is to aim to
> handle all errors by showing the user a standard error page with NO
> information on it (except general stuff like "An error occurred, and the
> admin has been notified"). This page should be the same whatever the
> error (you might even wish to use a basic HTML file). The details of the
> error can be stored in logs (event logs, text files, etc) and/or emailed
> to someone (you, admin, etc)

ASP and IIS6.  I do use a custom 404 page that emails me the errors, which
is how I saw the attack happen.  But I need to look a little closer at how
it is handling the errors to make sure that nothing is being given up in the

Thanks again!


More information about the thelist mailing list