Home
QueryString Hacks - Possible Solution
Blog Date - 22 July 2021
When I look through the logs of my "hits" in amongst the endless search engines and data scrapers it's common to see a web request like this...
http://www.techsolus.co.uk/code.aspx?code=85'[0]
This happens A LOT. So much in fact I believe these will be bots. Various nefarious hacker types will crawl the internet with bots (programs) that search for websites that use query strings. Once found the bot will then add some SQL injection type of code and monitor the response. If the response produces an error or similar I imagine this will be flagged up to the hacker who will then investigate further.
SQL injection can be the weak point of many a hobby level coder or inexperienced professional, don't ask me how I know... There are many ways to negate SQL injection but if you're not a bona-fide living in a cellar surrounded by monitors tinfoil hat wearing uber coder - here's my handy tip.
If it is at all possible - use only integer numbers in your query strings.
Why? Because any kind of SQL injection that I'm aware of requires non-numeric characters. That's why.
As such it is quite a simple task to - BEFORE any other code has run - test that the query string is a number and nothing else at all. If the query string is a number then carry on processing your code. If it is not a number then send the user to an error page, put up an error, show a default something but don't process the rest of your code.
Visual Basic (VB) has a lovely simple command to check a string is a number and nothing else... IsNumeric
if IsNumeric(request("id")) then
'run your code
else
'do NOT run your code
end if
Regrettably IsNumeric is NOT available in C#. WHY!! Why would this be so?!? Gosh darn it Microsoft just port the code it can't be that complicated surely (don't call me Shirley). Once you've gotten over MS's faux pas you'll work out you can create your own code.
The simplest starting point would by to try and turn the query string into an integer. If C# does this then we can presume it is a number. If not you can "catch" the error and send the code to the error page or whatnot.
try
{
Int32 MyInt = Convert.ToInt32(Request["id"]);
//This is good carry on
}
catch
{
//This is bad, redirect the user to elsewhere
}
And that will do it.
But before you implement this code - spare a moment. Try - Catch was never really designed to be used like this. Try - Catch is sort of a safety net for occasional use not a means of testing if you're being hacked.
If you're creating a small blog (like this) then it's fine. If you're creating a massive corporate online portal then try - catch has an overhead in processing. It will slow the code down and stress the server. That's a massive oversimplification but, err, kinda right.
Regex is the devil's own creation. I don't think Regex experts or even the people who write Regex's standards actually understand the format entirely. It's like the Dark Arts, created by Voldemort and maintained by Men in Black. But, in spite of it's fiercely complex structure it is, regrettably, useful.
We can use the evil of Regex to ensure a string only contains number thus...
using System.Text.RegularExpressions;
.............
if(Regex.IsMatch(Request["id"], "^[0-9]+$") == true)
{
//This is good carry on
}
else
{
//This is bad, redirect the user to elsewhere
}
The Regex part (^[0-9]+$) is about the simplest case of Regex you can find. I'm not going to try and explain it because, well, you know, errrr... I'd be guessing. Anyhoooooo. This will work and ensure the query string only contains numbers.
So that's it, problem solved!! Nope. Well, kinda. If, like this website, each page has an ID and that ID is a number, great. But before you go thinking you're safe if your page has any inputs - like the comments section on this page - that is also at risk of SQL injection.
That's for another day.
Go on, g'iz a job, I can do dat... ren@techsolus.co.uk
Reader's Comments
Name
Comment
Add a RELEVANT link (not required)
Upload an image (not required)
Uploading...
Home