Program | attack | attack
SQL injection has been played out by the novice-level so-called hacker masters, who have discovered that most hacking is now done based on SQL injection. SQL injection was played by the novice-level so-called hacker masters, found that most of the hackers are now based on SQL injection implementation, hey, who makes this easy to get started, okay, don't talk nonsense, now I start to say if you write generic SQL anti-injection programs general HTTP requests are nothing more than get and Post, so as long as we filter all the parameters in the post or GET request in the file to the illegal characters, so we implement HTTP request information filtering can be judged by the SQL injection attack.
The GET request that IIS passes to Asp.dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", Separate the data in each array so that get is intercepted as follows:
First we define that the request cannot contain the following characters:
|and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare
Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:
Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring <> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write " "
Response.End
End If
Next
Next
End If
This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:
If request.form <> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 Then
Response.Write " "
Response.End
End If
Next
Next
End If
All right, we've implemented the GET and POST request information interception, and you just need to refer to this page before opening the database file like conn.asp. Rest assured that you continue to develop your program, regardless of whether you will be subjected to SQL injection attacks. Isn't it?