Good way to sanitize input in classic asp

security asp-classic sanitization
Sander Versluys picture Sander Versluys · Jan 14, 2009 · Viewed 12.2k times · Source

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.

  • Are there any functions I should use?
  • Can you provide me with a good function for some basic protection?
  • Is there something like a parameterized query in asp?

Thanks!

Answer

Flory picture Flory · Jan 14, 2009

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

Here is a link.

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.

Related questions

Classic ASP SQL Injection Protection

What is a strong way to protect against sql injection for a classic asp app? FYI I am using it with an access DB. (I didnt write the app)

Read More
How exactly do you configure httpOnly Cookies in ASP Classic?

I'm looking to implement httpOnly in my legacy ASP classic sites. Anyone knows how to do it?

Read More
Anti XSS and Classic ASP

I'm currently trying to secure my classic ASP application from XSS. I came across the AntiXSS from Microsoft on the net and I was wondering if this would work with a classic application? If not do you have any ideas …

Read More