DwZone Forum DwZone Forum
Welcome to the DwZone-it Forum
 
  FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups  
    RegisterRegister -->   LoginLogin  
Recordset Paging  
DwZone Forum Index -> Recordset Paging
.
Moderators: AdministratorsModerators 
Hint: For improved responsiveness, use Internet Explorer 4 (or above) with Javascript enabled, choose 'Dynamic' from the View dropdown and hit 'Set Options' to save your changes.
New Topic Search for
 View     Per page     Messages Since 
Messages 21 to 23 of 23 (Total: 23) First |  Prev |  Next |  Last  
 Subject Author Date  
   Which sql command to use for PHP  
View this persons public profile  SteBaWeb   5:16 7 Feb 2015  
   Re: Which sql command to use for PHP  
View this persons public profile  Gianluigi   10:41 7 Feb 2015  
    Cross Site Scripting Errors when running the code thru a Fortify Scan  
View this persons public profile  Crystal   10:08 24 Nov 2014  
 
The include file "dwzPaging.asp" has several vulnerabilities found during scanning by our IA Dept. They will not let me deploy the code until I fix it.
The problem is that the retStr and qString pass unvalidated data.

I have replaced some of the code with the following. I don't know if this will pass but if anyone has an idea on how to validate the query string that is passed, I would really appreciate it. It looks like the key is the query string.

private function GetQueryStringWithPage()

validretStr = "/MY PATH GOES HERE.asp"
retStr = request.ServerVariables("PATH_INFO")

If retStr <> validretStr Then
Response.Redirect("Invalid_Search.asp")
Else
retStr = request.ServerVariables("PATH_INFO")
end if

qString = ""

Dim validkey
validkey = "EventType"

for each validkey in request.QueryString

if not StartWith(validkey, "dwzpage" & instance) then
if qString <> "" then
qString = qString & "&"
end if

qString = qString & Server.URLEncode(validkey) & "=" & Server.URLEncode(Request.QueryString(validkey))

end if
next

retStr = retStr & "?"

if qString <> "" then
retStr = retStr & qString & "&"
end if
GetQueryStringWithPage = retStr

end function

Crystal
 
Reply to this current thread  View this persons public profile  Send Private Message
Last Visit: Sunday 24 Oct, 2021 2:37 pm First |  Prev |  Next |  Last  
 Login
Username:  Password:    
Read Message Read Message   Unread message Unread message
Read message [popular] Read message [popular]   Unread message [popular] Unread message [popular]
Read message [locked] Read message [locked]   Unread message [locked] Unread message [locked]
All times are GMT-2

Jump to: