A small experience in determining the Web database Method

SELF: exploits blog

Many websites prevent or filter parameters submitted by ASP.
If isnumeric (id) Then
Response. write "yes! "
Call SQL _query (id)
Else
Response. write "Error id"
Response. End
End if

In this way, no matter what the problem is, if there is a non-numeric value, there will be an error, it is very direct prevention, there is no way to make an error, there is no way to get the Database Type
But we still have methods,
For example, this ID is submitted by xxx. asp.
Xxx. asp? Id = 1
We add more than 38 numbers to the end, such as 0.
Xxx. asp? Id = 100000000... {"0" x38}
In this way, the above ASP encountered an error when executing SQL _Query.
The prompt is as follows:
Reference content:
Microsoft ole db Provider for SQL Server Error 80040e57

The number 100000000000000000000000000000000000000000000000000000000000000000 exceeds the value range (the maximum precision is 38 valid digits ).

/Announce. asp, row 19



Do you understand? We have made a database error. We can see that the prevention of Isnumeric is not thorough.
In fact, the reason is also very simple: the maximum precision of Numeric data defined in SQL is only 38. If we submit more than 38 values, an error will occur, which leads to database errors...
Defense is also very simple. A sentence of code is sufficient.
Program code:
If id> 1000000000 Then Call Error (id) 100000000 is always enough?