January 31st, 2013, 10:54 PM
How to solve cross-site scripting and sql injection
I having issue of cross-site scripting and sql injection which show like below:
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe18a"><script>alert(1)</script>f999db65582 was submitted in the t parameter. This input was echoed unmodified in the application's response
The script that I have is as followed:
If Len(t) = 0 Then t = "CM"
The question is in order to encode above line
If Len(Server.HTMLEncode(t)) = 0 Then
t = "CM" OR
If Len(t) = 0 Then Replace(Server.HTMLEncode(t)) = "CM"
Which line is the right way to corret for Cross-site scripting.
2. SQL Injection
The t parameter appears to be vulnerable to SQL injection attacks. The payloads (select%201) and (select%201%2c2) were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
A difference arising from these two subqueries often indicates that user input is being incorporated into an "order by" clause, although other explanations may apply.
I have the following sql in my asp classic with parameter "t":
rs.Open "SELECT * FROM Nomination where type = '" & t & "' and Serial_No is not null", conn, 1, 3
How shall I correct above line to remove the "Sql Injection"
Please, can anyone give me any advice or any idea for these.
Thanks in advanced.