An ASP function to solve the SQL Injection Vulnerability

Source: Internet
Author: User
Tags how to prevent sql injection
The function is very simple. It mainly processes input data of the string and number types separately. The specific usage is as follows:

Character Type
Strusername = checkinput (Request ("username"), "S")
Numeric type
Id = checkinput (Request ("ID"), "I")

Below is the function

Function checkinput (STR, strtype)
'Function: Filter Single quotes in character parameters. This function is used to determine numeric parameters. If it is not a numerical value, the value is 0.
'Parameter meaning: Str ---- parameter to be filtered
'Strtype ---- parameter type, which can be classified into numeric type and numeric type. The numeric type is "S", and the numeric type is "I"
Dim strtmp
Strtmp = ""
If strtype = "S" then
Strtmp = Replace (TRIM (STR ),"'","''")
Elseif strtype = "I" then
If isnumeric (STR) = false then STR = "0"
Strtmp = Str
Else
Strtmp = Str
End if
Checkinput = strtmp
End Function

It is best to filter out ":".
We recommend that you use CHR () instead.

There seems to be nothing to say about the prevention of SQL Injection in ASP. In my ASP project,

All use self-written functions to process the data submitted by the client. This function is also posted in my blog.

See http://blog.csdn.net/cqq/archive/2004/09/23/113786.aspx for details

However, from the comments of friends and other online functions about how to prevent SQL injection, many people have entered a misunderstanding.

The harm of SQL injection is great. For example, for SQL Server, you can create or delete databases and execute system commands, such

Drop table tbl_name, execute Master. DBO. xp_cmdshell "command"

Therefore, many people write functions to filter out the keywords that may cause harm, such as drop, semicolon, And, EXE, and mid.

A lot.

In fact, you don't have to be so tedious as to complicate simple things.

For filtering, ASP only needs to process the numeric and numeric types separately,


Character type, converts single quotes into two single quotes strtmp = Replace (TRIM (STR ),"'","''")

The number type determines whether it can be converted into a number type. Use the isnumeric Function

The attacks that can bypass single quotes on the Internet are actually aimed at numbers.

If there is still a way to bypass the character type that filters single quotes, you will not have to play ........

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.