An ASP function to solve the SQL Injection Vulnerability

The function is very simple. It mainly processes input data of the string and number types separately. The specific usage is as follows:

Character Type
Strusername = checkinput (Request ("username"), "S")
Numeric type
Id = checkinput (Request ("ID"), "I")

Below is the function

Function checkinput (STR, strtype)
'Function: Filter Single quotes in character parameters. This function is used to determine numeric parameters. If it is not a numerical value, the value is 0.
'Parameter meaning: Str ---- parameter to be filtered
'Strtype ---- parameter type, which can be classified into numeric type and numeric type. The numeric type is "S", and the numeric type is "I"
Dim strtmp
Strtmp = ""
If strtype = "S" then
Strtmp = Replace (TRIM (STR ),"'","''")
Elseif strtype = "I" then
If isnumeric (STR) = false then STR = "0"
Strtmp = Str
Else
Strtmp = Str
End if
Checkinput = strtmp
End Function

It is best to filter out ":".
We recommend that you use CHR () instead.

There seems to be nothing to say about the prevention of SQL Injection in ASP. In my ASP project,

All use self-written functions to process the data submitted by the client. This function is also posted in my blog.

See http://blog.csdn.net/cqq/archive/2004/09/23/113786.aspx for details

However, from the comments of friends and other online functions about how to prevent SQL injection, many people have entered a misunderstanding.

The harm of SQL injection is great. For example, for SQL Server, you can create or delete databases and execute system commands, such

Drop table tbl_name, execute Master. DBO. xp_cmdshell "command"

Therefore, many people write functions to filter out the keywords that may cause harm, such as drop, semicolon, And, EXE, and mid.

A lot.

In fact, you don't have to be so tedious as to complicate simple things.

For filtering, ASP only needs to process the numeric and numeric types separately,

Character type, converts single quotes into two single quotes strtmp = Replace (TRIM (STR ),"'","''")

The number type determines whether it can be converted into a number type. Use the isnumeric Function

The attacks that can bypass single quotes on the Internet are actually aimed at numbers.

If there is still a way to bypass the character type that filters single quotes, you will not have to play ........