Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!

take the values from the query string and parametrize them in the sql.

Anybody have any quick fix code to check for possible cross scripting in querystring values? We had an attack through a thirdparty control's code, so we had no way of trapping the querystring parameters. funny thing was only data in one of the tables we were using for auditting transactions was affected. rest of the data was left intact. I guess we were just lucky!!!!

arent you escaping the strings?

dont know how to do it in asp.net, but i know in PHP there are functions to do so. you may need to write your function to do it.

EDIT:

here http://msdn.microsoft.com/en-us/library/ms998271.aspx

did you guys put a page up without escaping the user input? jeeze, that's security 101.

you guys should read this:

http://www.acunetix.com/websitesecurity/