SQL Injection defense method-Programmer

SQL injection is increasingly exploited to intrude into websites. Some web programmers are also paying attention to this knowledge. However, due to the lack of knowledge about the intrusion method, some characters are missing during filtering, this vulnerability may cause security vulnerabilities. You may also want to reject some legitimate user requests. If you want to input an I'm a boy, you will get an slack, will he be willing to visit your website again? [Transferred from: Apsara design network www.feitec.com]

 

Next, I will introduce the SQL Injection defense methods from the perspective of the program. First, let's take a look at the three simplest SQL statements [from: Apsara design network www.feitec.com]

1. SQL = "select * from users where userid =" & request ("ID ")

2. SQL = "select * from users where userid = '" & request ("ID ")&"'"

3. SQL = "select * from users where username like '%" & request ("name") & "% '"

First, the parameter is numeric, which is obvious. In the second sentence, if the field userid is of the int type, some people may not be clear. In fact, to distinguish between numeric and numeric parameters, you only need to check whether there are single quotation marks on both sides of the SQL statement parameters. Obviously, the first sentence does not have single quotation marks, and the second and third sentences have single quotation marks, which is Numeric. [Transferred from: Apsara design network www.feitec.com]

For numeric variables, input parameters are directly appended to SQL statements for execution. Because the parameters are numeric, it is safe to use isnumeric, I tried to disconnect the parameter with \ 0, but the results all failed.

For struct variables, all input parameters are used as constants. For example, if you input 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1 ', the value in the single quotation mark defining range is always a constant. To break this range, the only character is the defined character: single quotation mark. Therefore, it is completely safe to filter the "sign" for the variable type. to filter the variable, it is best to replace one single quotation mark with two single quotation marks, because the SQL statement stipulates that, 'constant 'indicates that two single quotes can be used to replace a constant with single quotes. In this way, you can maintain the original appearance of user input and ensure program security.

The following are two functions. You can copy them and call them directly.

'---------------------------------------------------------------

'Nb consortium anti-injection function reqnum/reqstr

'---------------------------------------------------------------

Function reqnum (strname)

Reqnum = request (strname)

If not isnumeric (reqnum) then

Response. Write "parameter must be numeric! "

Response. End

End if

End Function

Function reqstr (strname)

Reqstr = Replace (Request (strname ),"'","''")

End Function

The preceding three SQL statements describe the calling method:

1. SQL = "select * from users where userid =" & reqnum ("ID ")

2. SQL = "select * from users where userid = '" & reqstr ("ID ")&"'"

3. SQL = "select * from users where username like '%" & reqstr ("name") & "% '"

Repeat one point: the above method is absolutely applicable and secure for SQL Server databases, access databases, and other databases, but note that SQL server stored procedures are an exception, in this case, you must replace single quotes with four single quotes to ensure security.