Category Archives: Classic ASP

Classic ASP SQL injection prevention by using query parameter


Hello friends,

Recently I got a client email that his site is affected by malware and Trojan virus. Google safe browsing tool and other firewall security gateway was blocking some of the site URLs.

Site was written in classic asp long ago by other company. When I look into the file contents, no files were modified. Normally if hackers get the ftp details then they modify files and add some iframe code that will load other virus affected sites. But this wasn’t case here. So there may be a case of SQL injection. When I looked into database tables, I found some of the fields with having some html code. That html code was loading other sites which are virus infected. Our site is not allowing anyone to add/edit records, however records were modified. This was done by SQL injection using query string parameter.

I looked into some of the pages, and I found page that lists records and records were filtered by some condition and by query string parameter.

In classic asp, most of the developers write an SQL query like following:

sql = " SELECT * FROM table WHERE id = " & Request("id") 

Executing such query easily opens a way for SQL injection. We must need to validate the variables used in SQL query.

Fortunately, we can do it by adding parameters in SQL query. Basically we need to create ADODB command object. A detailed example is show bellow:

<%
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open "Your connection string"

set cmd = server.createobject("ADODB.Command")
sql = " SELECT * FROM table WHERE id = ? or name like ?"

cmd.ActiveConnection = conn
cmd.CommandText = qText
cmd.CommandType = adCmdText
cmd.CommandTimeout = 900
cmd.Parameters.Append cmd.CreateParameter("@id", adInteger, adParamInput, ,request("id"))
cmd.Parameters.Append cmd.CreateParameter("@name", adVarchar, adParamInput, 50, "%" & request("name") & "%")

set rs = cmd.Execute

Set rs = Nothing

Set conn = Nothing
%>

Also note that, when you add or append a parameter, name is not much important. Parameter position is the important thing. First ? mark will be replaced by first parameter and second ? mark with second parameter.

Please note that here we have used some VB constants. You need to declare them somewhere. You can include this asp file on the top of your page.

Calling a FedEx Rate Service from Classic ASP with SOAP call


Hi Friends,

Last month I worked in Classic ASP. I had to prepare a Delivery Calendar.

I consumed a FedEx web service for Rate request.

It can also return delivery commitment details like Delivery Date, Time, date etc.

Basically what I need is to call a web service using SOAP call.

May people find difficulty in Classic ASP, as FexEx is not giving sample code for consuming their web service.

So I decided to post at least on web service call, so that you guys can have idea about how to consume FedEx Web service in Classic ASP.

FedExCall.asp

<% option explicit %>
<!--#include file="FedexAccountInfo.asp"-->
<%
    Dim subscriberzip
    Dim subscribercountry
    Dim ShipmentDate
    Dim xmlReq
    Dim objhttp
    Dim outstr
    Dim NodeList

    subscriberzip = Request.QueryString("zip")
    subscribercountry = "US"
    ShipmentDate = Request.QueryString("date")

    xmlReq = "<?xml version=""1.0"" encoding=""UTF-8""?>" &_
    "<soapenv:Envelope xmlns:soapenv=""http://schemas.xmlsoap.org/soap/envelope/"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema"" xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"">" &_
    "<soapenv:Body>" &_
    "<RateRequest xmlns=""http://fedex.com/ws/rate/v9"">" &_
    "<WebAuthenticationDetail>" &_
    "<UserCredential>" &_
    "<Key>" & FedExkey & "</Key>" &_
    "<Password>" & FedExPassword & "</Password>" &_
    "</UserCredential>" &_
    "</WebAuthenticationDetail>" &_
    "<ClientDetail>" &_
    "<AccountNumber>" & FedExAccountNumber & "</AccountNumber>" &_
    "<MeterNumber>" & FedExMeterNumber & "</MeterNumber>" &_
    "</ClientDetail>" &_
    "<TransactionDetail>" &_
    "<CustomerTransactionId>TEST</CustomerTransactionId>" &_
    "</TransactionDetail>" &_
    "<Version>" &_
    "<ServiceId>crs</ServiceId>" &_
    "<Major>9</Major>" &_
    "<Intermediate>0</Intermediate>" &_
    "<Minor>0</Minor>" &_
    "</Version>" &_
    "<ReturnTransitAndCommit>1</ReturnTransitAndCommit>" &_
    "<CarrierCodes>FDXE</CarrierCodes>" &_
    "<VariableOptions>SATURDAY_DELIVERY</VariableOptions>" &_
    "<RequestedShipment>" &_
    "<ShipTimestamp>" & ShipmentDate & "T09:00:00-00:00</ShipTimestamp>" &_
    "<DropoffType>REGULAR_PICKUP</DropoffType>" &_
    "<PackagingType>YOUR_PACKAGING</PackagingType>" &_
    "<Shipper>" &_
    "<Address>" &_
    "<PostalCode>96790</PostalCode>" &_
    "<CountryCode>US</CountryCode>" &_
    "</Address>" &_
    "</Shipper>" &_
    "<Recipient>" &_
    "<Address>" &_
    "<PostalCode>" & subscriberzip & "</PostalCode>" &_
    "<CountryCode>US</CountryCode>" &_
    "</Address>" &_
    "</Recipient>" &_
    "<ShippingChargesPayment>" &_
    "<PaymentType>SENDER</PaymentType>" &_
    "<Payor>" &_
    "<AccountNumber>" & FedExAccountNumber & "</AccountNumber>" &_
    "<CountryCode>US</CountryCode>" &_
    "</Payor>" &_
    "</ShippingChargesPayment>" &_
    "<RateRequestTypes>LIST</RateRequestTypes>" &_
    "<PackageCount>1</PackageCount>" &_
    "<PackageDetail>INDIVIDUAL_PACKAGES</PackageDetail>" &_
    "<RequestedPackageLineItems>" &_
    "<SequenceNumber>1</SequenceNumber>" &_
    "<Weight>" &_
    "<Units>LB</Units>" &_
    "<Value>10.0</Value>" &_
    "</Weight>" &_
    "</RequestedPackageLineItems>" &_
    "</RequestedShipment>" &_
    "</RateRequest>" &_
    "</soapenv:Body>" &_
    "</soapenv:Envelope>"

    set objHttp = Server.createobject("Msxml2.ServerXMLHTTP")

    'For live
    objHttp.open "POST", https://gateway.fedex.com:443/web-services/rate, false

    'For test
    'objHttp.open "POST", https://gatewaybeta.fedex.com:443/web-services/rate, false

    OBJHTTP.setRequestHeader "Referer", "Your Company name"
    OBJHTTP.setRequestHeader "Host", "wsbeta.fedex.com"
    OBJHTTP.setRequestHeader "Accept", "image/gif, image/jpeg,image/pjpeg, text/plain, text/html, */*"
    OBJHTTP.setRequestHeader "Content-Type", "image/gif"
    OBJHTTP.setRequestHeader "Content-Length", cstr(len(xmlReq))

    objHttp.Send xmlReq

    outstr = objHttp.responseText

    dim objDoc, i, j, status
    Set objDoc = CreateObject("Microsoft.XMLDOM")
    objDoc.async = False
    objDoc.LoadXml(outstr)

'    Response.Write objDoc.getElementsByTagName("v9:HighestSeverity")(0).text

    Set NodeList = objDoc.getElementsByTagName("v9:RateReplyDetails")

    for i=0 to (NodeList.length-1)
'        for j=0 to (NodeList(0).childNodes.length-1)
'            if Trim(NodeList(i).childNodes(j).nodename) = "v9:ServiceType" then
'                Response.write "ServiceType: " & Trim(NodeList(i).childNodes(j).text) & "<br/>"
'            elseif Trim(NodeList(i).childNodes(j).nodename) = "v9:DeliveryDayOfWeek" then
'                Response.write "Day: " & Trim(NodeList(i).childNodes(j).text) & "<br/>"
'            elseif Trim(NodeList(i).childNodes(j).nodename) = "v9:DeliveryTimestamp" then
'                Response.write "Date: " & left(Trim(NodeList(i).childNodes(j).text), 10) & "<br/>"
'                Response.write "Time: " & right(Trim(NodeList(i).childNodes(j).text), 8) & "<br/>"
'            elseif Trim(NodeList(i).childNodes(j).nodename) = "v9:DestinationServiceArea" then
'                Response.write "Area: " & Trim(NodeList(i).childNodes(j).text) & "<br/><br/>"
'            end if
'        next
    next

    if Len(outstr) = 0 then
        Response.write "<br/> Error: Unable to communicate with Fedex Server. Please check your Internet connection.<br/>"
    else
        Response.Write outstr
    end if
%>

Now run this page in Internet Explorer and you will see the response in XML.