SQL INJECTION TRUTHS: September 2012

Thursday 13 September 2012

Java Script Calendar Control in ASP

Java Script Calendar Control in ASP
------------------------------------------------------------------------------------------------------------------
Use the following code in ASP Page

<link href="css/CalendarControl.css" rel="stylesheet" type="text/css">

<input name="txtdate" type="text" id="txtdate" value="<%=Date%>" onclick="showCalendarControl(this);" readonly="">

------------------------------------------------------------------------------------------------------------------
Include the following Java script code

function positionInfo(object) {

var p_elm = object;

this.getElementLeft = getElementLeft;
function getElementLeft() {
var x = 0;
var elm;
if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
while (elm != null) {
x+= elm.offsetLeft;
elm = elm.offsetParent;
}
return parseInt(x);
}

this.getElementWidth = getElementWidth;
function getElementWidth(){
var elm;
if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
return parseInt(elm.offsetWidth);
}

this.getElementRight = getElementRight;
function getElementRight(){
return getElementLeft(p_elm) + getElementWidth(p_elm);
}

this.getElementTop = getElementTop;
function getElementTop() {
var y = 0;
var elm;
if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
while (elm != null) {
y+= elm.offsetTop;
elm = elm.offsetParent;
}
return parseInt(y);
}

this.getElementHeight = getElementHeight;
function getElementHeight(){
var elm;
if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
return parseInt(elm.offsetHeight);
}

this.getElementBottom = getElementBottom;
function getElementBottom(){
return getElementTop(p_elm) + getElementHeight(p_elm);
}
}

function CalendarControl() {

var calendarId = 'CalendarControl';
var currentYear = 0;
var currentMonth = 0;
var currentDay = 0;

var selectedYear = 0;
var selectedMonth = 0;
var selectedDay = 0;

var months = ['January','February','March','April','May','June','July','August','September','October','November','December'];
var dateField = null;

function getProperty(p_property){
var p_elm = calendarId;
var elm = null;

if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
if (elm != null){
if(elm.style){
elm = elm.style;
if(elm[p_property]){
return elm[p_property];
} else {
return null;
}
} else {
return null;
}
}
}

function setElementProperty(p_property, p_value, p_elmId){
var p_elm = p_elmId;
var elm = null;

if(typeof(p_elm) == "object"){
elm = p_elm;
} else {
elm = document.getElementById(p_elm);
}
if((elm != null) && (elm.style != null)){
elm = elm.style;
elm[ p_property ] = p_value;
}
}

function setProperty(p_property, p_value) {
setElementProperty(p_property, p_value, calendarId);
}

function getDaysInMonth(year, month) {
return [31,((!(year % 4 ) && ( (year % 100 ) || !( year % 400 ) ))?29:28),31,30,31,30,31,31,30,31,30,31][month-1];
}

function getDayOfWeek(year, month, day) {
var date = new Date(year,month-1,day)
return date.getDay();
}

this.clearDate = clearDate;
function clearDate() {
dateField.value = '';
hide();
}

this.setDate = setDate;
function setDate(year, month, day) {
if (dateField) {
if (month < 10) {month = month;}
if (day < 10) {day = day;}

var dateString = month+"/"+day+"/"+year;
dateField.value = dateString;
hide();
}
return;
}

this.changeMonth = changeMonth;
function changeMonth(change) {
currentMonth += change;
currentDay = 0;
if(currentMonth > 12) {
currentMonth = 1;
currentYear++;
} else if(currentMonth < 1) {
currentMonth = 12;
currentYear--;
}

calendar = document.getElementById(calendarId);
calendar.innerHTML = calendarDrawTable();
}

this.changeYear = changeYear;
function changeYear(change) {
currentYear += change;
currentDay = 0;
calendar = document.getElementById(calendarId);
calendar.innerHTML = calendarDrawTable();
}

function getCurrentYear() {
var year = new Date().getYear();
if(year < 1900) year += 1900;
return year;
}

function getCurrentMonth() {
return new Date().getMonth() + 1;
}

function getCurrentDay() {
return new Date().getDate();
}

function calendarDrawTable() {

var dayOfMonth = 1;
var validDay = 0;
var startDayOfWeek = getDayOfWeek(currentYear, currentMonth, dayOfMonth);
var daysInMonth = getDaysInMonth(currentYear, currentMonth);
var css_class = null; //CSS class for each day

var table = "<table cellspacing='0' cellpadding='0' border='0'>";
table = table + "<tr class='header'>";
table = table + " <td colspan='2' class='previous'><a href='javascript:changeCalendarControlMonth(-1);'><</a> <a href='javascript:changeCalendarControlYear(-1);'>«</a></td>";
table = table + " <td colspan='3' class='title'>" + months[currentMonth-1] + "<br>" + currentYear + "</td>";
table = table + " <td colspan='2' class='next'><a href='javascript:changeCalendarControlYear(1);'>»</a> <a href='javascript:changeCalendarControlMonth(1);'>></a></td>";
table = table + "</tr>";
table = table + "<tr><th>S</th><th>M</th><th>T</th><th>W</th><th>T</th><th>F</th><th>S</th></tr>";

for(var week=0; week < 6; week++) {
table = table + "<tr>";
for(var dayOfWeek=0; dayOfWeek < 7; dayOfWeek++) {
if(week == 0 && startDayOfWeek == dayOfWeek) {
validDay = 1;
} else if (validDay == 1 && dayOfMonth > daysInMonth) {
validDay = 0;
}

if(validDay) {
if (dayOfMonth == selectedDay && currentYear == selectedYear && currentMonth == selectedMonth) {
css_class = 'current';
} else if (dayOfWeek == 0 || dayOfWeek == 6) {
css_class = 'weekend';
} else {
css_class = 'weekday';
}

table = table + "<td><a class='"+css_class+"' href=\"javascript:setCalendarControlDate("+currentYear+","+currentMonth+","+dayOfMonth+")\">"+dayOfMonth+"</a></td>";
dayOfMonth++;
} else {
table = table + "<td class='empty'> </td>";
}
}
table = table + "</tr>";
}

table = table + "<tr class='header'><th colspan='7' style='padding: 3px;'><a href='javascript:clearCalendarControl();'>Clear</a> | <a href='javascript:hideCalendarControl();'>Close</a></td></tr>";
table = table + "</table>";

return table;
}

this.show = show;
function show(field) {
can_hide = 0;

// If the calendar is visible and associated with
// this field do not do anything.
if (dateField == field) {
return;
} else {
dateField = field;
}

if(dateField) {
try {
var dateString = new String(dateField.value);
var dateParts = dateString.split("-");

selectedMonth = parseInt(dateParts[0],10);
selectedDay = parseInt(dateParts[1],10);
selectedYear = parseInt(dateParts[2],10);
} catch(e) {}
}

if (!(selectedYear && selectedMonth && selectedDay)) {
selectedMonth = getCurrentMonth();
selectedDay = getCurrentDay();
selectedYear = getCurrentYear();
}

currentMonth = selectedMonth;
currentDay = selectedDay;
currentYear = selectedYear;

if(document.getElementById){

calendar = document.getElementById(calendarId);
calendar.innerHTML = calendarDrawTable(currentYear, currentMonth);

setProperty('display', 'block');

var fieldPos = new positionInfo(dateField);
var calendarPos = new positionInfo(calendarId);

var x = fieldPos.getElementLeft();
var y = fieldPos.getElementBottom();

setProperty('left', x + "px");
setProperty('top', y + "px");

if (document.all) {
setElementProperty('display', 'block', 'CalendarControlIFrame');
setElementProperty('left', x + "px", 'CalendarControlIFrame');
setElementProperty('top', y + "px", 'CalendarControlIFrame');
setElementProperty('width', calendarPos.getElementWidth() + "px", 'CalendarControlIFrame');
setElementProperty('height', calendarPos.getElementHeight() + "px", 'CalendarControlIFrame');
}
}
}

this.hide = hide;
function hide() {
if(dateField) {
setProperty('display', 'none');
setElementProperty('display', 'none', 'CalendarControlIFrame');
dateField = null;
}
}

this.visible = visible;
function visible() {
return dateField
}

this.can_hide = can_hide;
var can_hide = 0;
}

var calendarControl = new CalendarControl();

function showCalendarControl(textField) {
// textField.onblur = hideCalendarControl;
calendarControl.show(textField);
}

function clearCalendarControl() {
calendarControl.clearDate();
}

function hideCalendarControl() {
if (calendarControl.visible()) {
calendarControl.hide();
}
}

function setCalendarControlDate(year, month, day) {
calendarControl.setDate(year, month, day);
}

function changeCalendarControlYear(change) {
calendarControl.changeYear(change);
}

function changeCalendarControlMonth(change) {
calendarControl.changeMonth(change);
}

document.write("<iframe id='CalendarControlIFrame' src='javascript:false;' frameBorder='0' scrolling='no'></iframe>");
document.write("<div id='CalendarControl'></div>");

------------------------------------------------------------------------------------------------------------------
Include the following Css

#CalendarControlIFrame {
display: none;
left: 0px;
position: absolute;
top: 0px;
height: 200px;
width: 250px;
z-index: 50;
}

#CalendarControl {
position:absolute;
background-color:#FFF;
margin:0;
padding:0;
display:none;
z-index: 100;
}

#CalendarControl table {
font-family: arial, verdana, helvetica, sans-serif;
font-size: 8pt;
border-left: 1px solid #336;
border-right: 1px solid #336;
}

#CalendarControl th {
font-weight: normal;
}

#CalendarControl th a {
font-weight: normal;
text-decoration: none;
color: #FFF;
padding: 1px;
}

#CalendarControl td {
text-align: center;
}

#CalendarControl .header {
background-color: #336;
height:40px;
}

#CalendarControl .weekday {
background-color: #DDD;
color: #000;
}

#CalendarControl .weekend {
background-color: #FFC;
color: #000;
}

#CalendarControl .current {
border: 1px solid #339;
background-color: #336;
color: #FFF;
}

#CalendarControl .weekday,
#CalendarControl .weekend,
#CalendarControl .current {
display: block;
text-decoration: none;
border: 1px solid #FFF;
width: 2em;
}

#CalendarControl .weekday:hover,
#CalendarControl .weekend:hover,
#CalendarControl .current:hover {
color: #FFF;
background-color: #336;
border: 1px solid #999;
}

#CalendarControl .previous {
text-align: left;
}

#CalendarControl .next {
text-align: right;
}

#CalendarControl .previous,
#CalendarControl .next {
padding: 1px 3px 1px 3px;
font-size: 1.4em;
}

#CalendarControl .previous a,
#CalendarControl .next a {
color: #FFF;
text-decoration: none;
font-weight: bold;
}

#CalendarControl .title {
text-align: center;
font-weight: bold;
color: #FFF;
}

#CalendarControl .empty {
background-color: #CCC;
border: 1px solid #FFF;
}

.value { color:#333333; padding-left:5px; font-family:Arial, Helvetica, sans-serif; }

------------------------------------------------------------------------------------------------------------------

How to use FCK Editor in ASP

How to use FCK Editor in ASP
------------------------------------------------------------------------------------------------------
Download FCK Editor from the following Path

http://ckeditor.com/download

Change the following as per your requirement.

$Width = '100%';
$Height = '200';
$ToolbarSet = 'Default';



<%
' Automatically calculates the editor base path based on the _samples directory.
' This is usefull only for these samples. A real application should use something like this:
' oFCKeditor.BasePath = '/fckeditor/' ; // '/fckeditor/' is the default value.
Dim sBasePath
sBasePath = Request.ServerVariables("PATH_INFO")
sBasePath = Left( sBasePath, InStrRev( sBasePath, "/news_add.asp" ) )
sBasePath="/fckeditor/"

Dim oFCKeditor
Set oFCKeditor = New FCKeditor
oFCKeditor.BasePath = sBasePath

If Request.QueryString("Toolbar") <> "" Then
oFCKeditor.ToolbarSet = Server.HTMLEncode( Request.QueryString("Toolbar") )
End If

oFCKeditor.Value = ""
oFCKeditor.Create "FCKeditor1"
%>
------------------------------------------------------------------------------------------------------

Creating RSS Feed in ASP

Creating RSS Feed in ASP
-----------------------------------------------------------------------------------------------------------
<%
Function ApplyXMLFormatting(strInput)
'strInput = Replace(strInput,"&", "&")
'strInput = Replace(strInput,"'", "'")
'strInput = Replace(strInput,"""", """)
'strInput = Replace(strInput, ">", ">")
'strInput = Replace(strInput,"<","<")
strInput = Replace(strInput," "," ")
strInput = Replace(strInput,"&", " ")
strInput = Replace(strInput,"", " ")
strInput = Replace(strInput,"""", " ")
strInput = Replace(strInput, "<p>", " ")
strInput = Replace(strInput,"</p>"," ")
strInput = Replace(strInput, "<P>", " ")
strInput = Replace(strInput,"</P>"," ")
strInput = Replace(strInput,"?","")
strInput = Replace(strInput,"<P align=left>"," ")
ApplyXMLFormatting = strInput
End Function
Function dateTimeToRFC1123(dt_dateTime)
dim a_shortDay, a_shortMonth
dt_dateTime = dateAdd ("N", server.createObject ("WScript.Shell").regRead ("HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias") , dt_dateTime)
a_shortDay = array ("Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat")
a_shortMonth = array ("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec")
dateTimeToRFC1123 = a_shortDay (weekDay (dt_dateTime) - 1) & ","
dateTimeToRFC1123 = dateTimeToRFC1123 & " " & right ("0" & day (dt_dateTime) , 2) & " " & a_shortMonth (month (dt_dateTime) - 1) & " " & year (dt_dateTime)
dateTimeToRFC1123 = dateTimeToRFC1123 & " " & right ("0" & hour (dt_dateTime) , 2) & ":" & right ("0" & minute (dt_dateTime) , 2) & ":" & right ("0" & second (dt_dateTime) , 2) & " GMT"
End Function

dim fs,fname
set fs=Server.CreateObject("Scripting.FileSystemObject")
dim path
path="C:\xmlpath\rss.xml"

set fname=fs.CreateTextFile(path,true)

fname.write("<?xml version='1.0' encoding='UTF-8' standalone='yes'?>")
fname.write("<?xml-stylesheet href='http://sitename/rss.css' type='text/css'?>")
fname.write("<rss version='2.0'>")
fname.write("<channel>")
fname.write("<title>"&Sitename&" RSS</title>")
fname.write("<link>http://"&Sitename&"/</link>")
fname.write("<description>RSS for the "&Sitename&" community.</description>")
fname.write("<pubDate>"& dateTimeToRFC1123(now()) &"</pubDate>")
fname.write("<lastBuildDate>"& dateTimeToRFC1123(now()) &"</lastBuildDate>")
fname.write("<generator>SITE NAME RSS Generator 2.00</generator>")
fname.write("<language>en-us</language>")
fname.write("<image>")
fname.write("<link>http://"&Sitename&"/</link>")
fname.write("<title>SITE NAME TITLE</title>")
fname.write("<url>http://www.sitename.com/images/image.gif</url>")
fname.write("</image>")
fname.write("<div class='info' xmlns='http://www.w3.org/1999/xhtml'>This is formatted XML site feed. It is intended to be viewed in an RSS or Atom Newsreader or syndicated to another site.<br /></div>")

fname.write("<item>")
fname.write("<link>http://"&Sitename&"/"& LINK &"</link>")
fname.write("<pubDate>"& dateTimeToRFC1123(now()) &"</pubDate>")
fname.write("<guid>http://"&Sitename&"/"& LINK &"</guid>")
fname.write("<title>" &Server.HTMLEncode(SUBJECT)& "</title>")
fname.write("<description>" &Server.HTMLEncode(TOTALDESCRIPTION)& "</description>")
fname.write("</item>")

fname.write("</channel>")
fname.write("</rss>")
%>
-----------------------------------------------------------------------------------------------------------

Wednesday 12 September 2012

Stored Procedure to Search a Specific Text in one DataBase

Stored Procedure to Search a Specific Text in one DataBase
------------------------------------------------------------------------------------------------------------
CREATE PROC [dbo].[SearchAllTables]
(
@SearchStr nvarchar(100)
)
AS
BEGIN

CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))

SET NOCOUNT ON

DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')

WHILE @TableName IS NOT NULL
BEGIN
SET @ColumnName = ''
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND OBJECTPROPERTY(
OBJECT_ID(
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
), 'IsMSShipped'
) = 0
)

WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
BEGIN
SET @ColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar')
AND QUOTENAME(COLUMN_NAME) > @ColumnName
)

IF @ColumnName IS NOT NULL
BEGIN
INSERT INTO #Results
EXEC
(
'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT(' + @ColumnName + ', 3630)
FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
)
END
END
END

SELECT ColumnName, ColumnValue FROM #Results
END
------------------------------------------------------------------------------------------------------------
Execute the following Command to Search Specific Text

EXEC SearchAllTables '<script'

EXEC SearchAllTables '<a style'

EXEC SearchAllTables '<form'

UPDATE Table
SET column = replace(description, '<a style=position:absolute;left:-9999px;top:-99', '')
WHERE column LIKE '%<a style=position:absolute;left:-9999px;top:-99%';
------------------------------------------------------------------------------------------------------------

Convert text/HTML to Server-side Statements for E-mail sending in asp

Convert text/HTML to Server-side Statements for E-mail sending in asp
-------------------------------------------------------------------------------------------------------------------

You can convert text and HTML to server side statements for E-mail sending with one click

http://www.accessify.com/tools-and-wizards/developer-tools/response.right/

-------------------------------------------------------------------------------------------------------------------

Change 404 Error Page in IIS

How to Change 404 Error Page in IIS 6.0
-------------------------------------------------------------------------------------------------------------------

1) Windows - Go to Start - Run - Type "inetmgr" Then IIS will Open
2) Right Click on Website - Properties
3) Select CUSTOM Errors Tab
4) Click on HTTP Error 404
5) Edit - Message Type (File or URL) change the file type

Check The following Image

-------------------------------------------------------------------------------------------------------------------

download pdf file in ASP

Code for Downloading PDF file in ASP using ADODB Stream Object
-----------------------------------------------------------------------------------------------------------------
<%
Dim prvURL
prvURL="http://sqlinjectiontruths.blogspot.in/test.html"
prvURL=replace(prvURL,"http://","")
prvURL=replace(prvURL,Request.ServerVariables("HTTP_HOST"),"")

dim pdfURL
Select Case prvURL
Case "test.html"
pdfURL="test.pdf"
Case Else
Response.redirect("/")
End Select

Response.ContentType = "application/x-unknown" ' arbitrary
FPath = Server.MapPath(".")&"\documents\"&pdfURL
Response.AddHeader "Content-Disposition","attachment; filename="&pdfURL

Set adoStream = CreateObject("ADODB.Stream")
adoStream.Open()
adoStream.Type = 1
adoStream.LoadFromFile(FPath)
Response.BinaryWrite adoStream.Read()
adoStream.Close
Set adoStream = Nothing
%>
-------------------------------------------------------------------------------------------------------------------

Preventing SQL Injection Attacks in Classic ASP

Preventing SQL Injection Attacks in Classic ASP and SQL Injection tips for ASP 2.0

----------------------------------------------------------------------------------------------------------

Step1:

Include <% Option Explicit %> in all the pages, So that Hacker can not create variables without declaring

----------------------------------------------------------------------------------------------------------

Step2:

Client Side Java Script Validation is must, maxlength property should be placed in forms

Example:

function frmpostreq()

{

if(document.postreq.email.value=="")

{

alert("Please enter Email Address");

document.postreq.email.focus();

return false;

}

return true;

}

----------------------------------------------------------------------------------------------------------

Step3:

Server Side Validation is must,Check field length in asp pages

Example:

''' Email '''

if trim(Request.Form("emaill")) = "" then

Response.Write("Enter Email !")

Response.End

end if

''' Email '''

if len(Request.Form("emaill")) >50 then

Response.Write("Email ID value can not be greater than 50 characters")

Response.End

end if

----------------------------------------------------------------------------------------------------------

Step4:

Example:

form method="post" action="getval.asp" id="frm1" name="frm1"

Include the following Code in getval.asp page.

if Request.ServerVariables("HTTP_REFERER") = "" or ISEmpty(Request.ServerVariables("HTTP_REFERER")) Then

Response.write "Please Go To www.sqlinjectiontruths.blogspot.in/"

Response.end

End if

if instr(1, Request.ServerVariables("HTTP_REFERER"), "sqlinjectiontruths.blogspot.in", 1) > 0 Then

Else

Response.write "Please Go To www.sqlinjectiontruths.blogspot.in/"

Response.end

End if

----------------------------------------------------------------------------------------------------------

Step5:

Remember to kill the record set object, connection string object

set recordset=nothing

recordset.close

connectionstring.close

(or)

killobject(recordset)

killobject(connectionstring)

function killobject(obj)

if isobject(obj) then

IF obj.state = 1 THEN obj.close

End if

Set obj = Nothing

end function

----------------------------------------------------------------------------------------------------------

Step6:

Very Very Important Technique is Validate Numeric Query String Value with Cint (or) Isnumeric ASP Function

ID=CInt(trim(Request.QueryString("ID")))

or

ID=Isnumeric(trim(Request.QueryString("ID")))

----------------------------------------------------------------------------------------------------------

Step7:

Very Very Important Technique is Validate String Value with Replace ASP Function

When Request.Form Value is String

email=trim(Replace(CStr(Request.Form("email")), "'", "''"))

When Query String Value is String

ID=trim(Replace(CStr(Request.QueryString("ID")), "'", "''"))

----------------------------------------------------------------------------------------------------------

Step8:

Include the following code in all ASP Pages(especially in querystring pages)

Dim BlackList, ErrorPage, s, hackcode, matchstring

' "@",".inf",".html",".htm", ".pl", ".PL",".ini", "alter" can be included

BlackList = Array("+","ftp://", "INFORMATION_SCHEMA", "@@version","TABLE_NAME","replace(","replace%28",_

"sysobjects","syscolumns","syscomments","%20where%20","where+","dbo.",_

"TABLE_SCHEMA","ROUTINE_","READ_ONLY","charindex","OBJECT_","select * from",_

"nchar","varchar","nvarchar","char(","char%28","+char","%2Bchar","char+",_

"+set", "%2Bset","%20set","set+","fetch","kill",_

"cursor","declare ","declare+","declare%20","declare%2B","delete+","drop+",_

"drop view","drop view", "backup","update%20","update+","update ","update+",_

"DOCTYPE","<head", "meta","<title>","</title>","</head>", "<body>","%3Cscript","<script", "</script>",_

"</body>", "</html>","<form", "<div","</div>","<link","<a style","sp_",_

"primary key","foreign key","primary+key","foreign+key","foreign_key","primary_key",_

"where+","where%2Bjoin","where%20join","where ","inner join","inner+join","inner%2Bjoin","inner%20join",_

"exec+","exec%20","exec%2B","execute+","execute%20","execute%2B","exec ","execute ",_

"truncate+","truncate%20","truncate%2B","truncate ",_

"</table>","<tr","</tr>","<td","</td>","<table","%3Ctable","%3C%2Ftable",_

"create table","create%20table","create+table","create%2Btable","create view","create%20view","create+view","create%2Bview",_

"create trigger","create%20trigger","create+trigger","create%2Btrigger","create ","create%20","create+","create%2B",_

"insert into","insert%20into","insert+into","insert%2Binto",_

"cast+","%20cast%20","%3Dcast","=cast","cast(","cast%28",_

"alter+","alter%20","alter%28","alter%2B","alter ","alter(","alter table","alter%20table","alter view","alter view",_

".asp",".php",".jsp", ".LOG",".zip",".rar",".tar",".txt",".xml",".gzip","link=","url",_

"--",";","/*", "*/","@@","%40%40")

' Populate the error page you want to redirect to in case the

' check fails.

ErrorPage = "/ErrorPage.asp"

'Send mail to webmaster with Hack Code

Function SendEmail(hcode,matchstring)

'On Error Resume Next

hackcode = "Match String: " & matchstring & "<br />"

hackcode = hackcode & "HACK CODE: " & hcode & "<br />"

hackcode = hackcode & "URL: " & Request.ServerVariables("URL") & "<br />"

hackcode = hackcode & "IP ADDRESS: " & Request.ServerVariables("REMOTE_ADDR") & "<br />"

hackcode = hackcode & "You are browsing this site with: " & Request.ServerVariables("http_user_agent") & "<br />"

hackcode = hackcode & "The DNS lookup of the IP address: " & Request.ServerVariables("remote_host") & "<br />"

hackcode = hackcode & "HTTP HEADERS SENT BY CLIENT: " & Request.ServerVariables("ALL_HTTP") & "<br />"

hackcode = hackcode & "ALL_RAW: " & Request.ServerVariables("ALL_RAW") & "<br />"

dim oMail, oMailConfig

Set oMail = Server.CreateObject("CDO.Message")

Set oMailConfig = Server.CreateObject ("CDO.Configuration")

oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "localhost"

oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

oMailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60

oMailConfig.Fields.Update

Set oMail.Configuration = oMailConfig

oMail.From = "from email address"

oMail.To = "to email address"

oMail.Subject = "Tried for entering hacking code - sqlinjectiontruths.blogspot.in"

oMail.HTMLBody = hackcode

oMail.Send

set oMail=nothing

End Function

'End Send mail to webmaster with Hack Code

'''''''''''''''''''''''''''''''''''''''''''''''''''

' This function does not check for encoded characters

' since we do not know the form of encoding your application

' uses. Add the appropriate logic to deal with encoded characters

' in here

'''''''''''''''''''''''''''''''''''''''''''''''''''

Function CheckStringForSQL(str)

On Error Resume Next

Dim lstr

' If the string is empty, return true

If ( IsEmpty(str) ) Then

CheckStringForSQL = false

Exit Function

ElseIf ( StrComp(str, "") = 0 ) Then

CheckStringForSQL = false

Exit Function

End If

lstr = LCase(str)

' Check if the string contains any patterns in our

' black list

For Each s in BlackList

If ( InStr (lstr, s) <> 0 ) Then

CheckStringForSQL = true

Exit Function

End If

CheckStringForSQL = false

End Function

'''''''''''''''''''''''''''''''''''''''''''''''''''

' Check forms data

'''''''''''''''''''''''''''''''''''''''''''''''''''

For Each s in Request.Form

If ( CheckStringForSQL(Request.Form(s)) ) Then

SendEmail Request.Form,s

' Redirect to an error page

Response.Redirect(ErrorPage)

End If

'''''''''''''''''''''''''''''''''''''''''''''''''''

' Check query string

'''''''''''''''''''''''''''''''''''''''''''''''''''

For Each s in Request.QueryString

If ( CheckStringForSQL(Request.QueryString(s)) ) Then

SendEmail Request.QueryString,s

' Redirect to error page

Response.Redirect(ErrorPage)

End If

'''''''''''''''''''''''''''''''''''''''''''''''''''

' Check cookies

'''''''''''''''''''''''''''''''''''''''''''''''''''

'For Each s in Request.Cookies

' If ( CheckStringForSQL(Request.Cookies(s)) ) Then

' GetSecureVal(Request.Cookies(s))

' ' SendEmail Request.Cookies,s

' ' Redirect to error page

' 'Response.Redirect(ErrorPage)

' End If

'Next

'''''''''''''''''''''''''''''''''''''''''''''''''''

' Check Secure Value

'''''''''''''''''''''''''''''''''''''''''''''''''''

Function GetSecureVal(param)

If IsEmpty(param) Or param = "" Then

GetSecureVal = param

Exit Function

End If

If IsNumeric(param) Then

GetSecureVal = trim(CLng(param))

Else

GetSecureVal = trim(Replace(CStr(param), "'", "''"))

End If

End Function

'''''''''''''''''''''''''''''''''''''''''''''''''''

' Add additional checks for input that your application

' uses. (for example various request headers your app

' might use)

'''''''''''''''''''''''''''''''''''''''''''''''''''

----------------------------------------------------------------------------------------------------------

Step9:

Instead of using "SA" as username for all the databases, Use different user names and different passwords for each databases
----------------------------------------------------------------------------------------------------------
Step10:

Use Stored Procedures, Instead of writing raw SQL queries on .asp pages
----------------------------------------------------------------------------------------------------------
Step11:

Keep your system up to date with the most recent cumulative update package for SQL Server Service Packs.
----------------------------------------------------------------------------------------------------------
Step12:

Use Captcha in all the forms in the website.(mandatory)
With Captcha, you can restrict SPAM Bots

Captca code in ASP -> http://sqlinjectiontruths.blogspot.in/2013/04/recaptcha-in-classic-asp.html
----------------------------------------------------------------------------------------------------------
Step13:
Decode Query String Values

Refer the URLS:
http://sqlinjectiontruths.blogspot.in/2013/03/asp-encode-decode-functions.html
http://www.aspnut.com/reference/encoding.asp

http://msdn.microsoft.com/en-us/library/ms525813.aspx

Sending Fax with Classic ASP

Need to send a fax in ASP Classic
-------------------------------------------------------------------------------------------------------------------

The following Website Provides API for Classic ASP

www.interfax.net/en/dev/aspclassic
-------------------------------------------------------------------------------------------------------------------

Email Sending With Gmail, Google Apps in ASP 2.0

Email Sending With Gmail, Google Apps in ASP 2.0
------------------------------------------------------------------------------------------------------------
<%
'On Error Resume Next
Dim Subject, Body, SenderEmail, RecipientEmail, SMTPServer, SMTPusername, SMTPpassword
SenderEmail = "info@domain name.com"
SMTPserver = "smtp.gmail.com"
SMTPusername = "info@gmail.com"
'SMTPusername = "info@googleapps username.com" for google APPS
SMTPpassword = "PASSWORD"
'SMTPpassword = "PASSWORD" google APPS password
Subject = "Hello"
Body = "This is a test. Please ignore."
RecipientEmail= "email@domain name.com"

sch = "http://schemas.microsoft.com/cdo/configuration/"
Set cdoConfig = CreateObject("CDO.Configuration")
With cdoConfig.Fields
.Item(sch & "smtpauthenticate") = 1
.Item(sch & "smtpusessl") = True
.Item(sch & "smtpserver") = SMTPserver
.Item(sch & "sendusername") = SMTPusername
.Item(sch & "sendpassword") = SMTPpassword
.Item(sch & "smtpserverport") = 465
.Item(sch & "sendusing") = 2
.Item(sch & "connectiontimeout") = 100
.update
End With

'Const cdoSendUsingPickup = "c:\inetpub\mailroot\pickup"
Set cdoMessage = CreateObject("CDO.Message")
With cdoMessage
Set .Configuration = cdoConfig
cdoMessage.From = SenderEmail
cdoMessage.To = RecipientEmail
cdoMessage.Subject = Subject
cdoMessage.TextBody = Body
cdoMessage.Send
End With
Set cdoMessage = Nothing
Set cdoConfig = Nothing
If Err.Number <> 0 Then
Response.Write (Err.Description& "<br><br>")
end if
%>