3. Avoid dynamic SQL statements: In particular, from the IE client to get queries, modify, delete the conditions of the field is most easily injected, such as the above from the client to obtain PersonID, for development convenience, directly from the client obtained from the Persongid as the condition of the SQL statement, There are no necessary checks for PersonID, so it is best to use the PreparedStatement class when executing SQL statements at development time.
4. Verify the data: In the client IE using Web effects to verify the legitimacy of the user input data is not very large, it is important to obtain the client data, the data is strictly verified, developers do not assume that the user will only enter legitimate data. Be sure to check the application for semicolons, quotation marks, parentheses, SQL keywords, and so on. You can use regular expressions to perform complex pattern matching, and use it to achieve good results.
XXX website Address Book View program needs to pass a Personid,personid can pass through the URL parameter, because addresses this viewer directly obtains PersonID, did not do any data legitimacy validation, and PersonID is a string variable, The code to get PersonID is as follows:
if (GetParameter (req, "PersonID")!=null) {
Personid=getparameter (req, "PersonID"). Trim ();
}else{
Personid= "";
}
The dynamic SQL statements that are combined in this program are as follows:
personsql= "select * from table name where userid=" +long.tostring (userid) + "and addrcontactid=" +personid;
Since the program does not check whether PersonID is an integer, the attacker would simply assign a value to PersonID to continue running the subsequent program logic if the attacker entered the following URL:
http://www.----------------------? personid=6414 or 2=2
The SQL statements are grouped as follows:
select * FROM table name where userid=1433620 and addrcontactid=6414 or 2=2
Precautionary approach
SQL injection vulnerability is "dikes, yixue", the vulnerability is very common on the Internet, usually because the programmer is not aware of the injection, or the program is not strict filtering, or a parameter forgot to check the result. Here, I give you a function instead of the request function in the ASP tutorial, you can inject say no into all SQL, the function is as follows:
function Saferequest (paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-number type (1 means the above parameter is a number, 0 means the above parameter is a character)Dim paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (Paravalue) Then
Response.Write "Parameters" & Paraname & "must be a digital type!" "
Response.End
End If
Else
Paravalue=replace (Paravalue, "'", "" ")
End If
Saferequest=paravalue
End Function
The above function applies
For parameters of type int, such as the ID of an article, you can first determine if it is an integer.
ID =trim (Request ("id"))
If id<> "" Then
If not IsNumeric (ID) Then
Response.Write "Please provide digital parameters"
Response.End
End If
id = clng (ID)
Else
Response.Write "Please enter the parameter ID"
Response.End
End If
http://www.bkjia.com/PHPjc/629725.html www.bkjia.com true http://www.bkjia.com/PHPjc/629725.html techarticle 1. If you have parameters in a dynamically constructed SQL statement, you must do the following for the parameter A. Replace ' (single quotation mark) with ' (two single quotes) b. Replace-(comment) with C. When adding arguments to a statement ...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
