ASP anti-SQL injection attack program

Source: Internet
Author: User
Tags filter array chr http request include sql sql injection sql injection attack
Program | attack | attack

SQL injection has been played out by the novice-level so-called hacker masters, who have discovered that most hacking is now done based on SQL injection. SQL injection was played by the novice-level so-called hacker masters, found that most of the hackers are now based on SQL injection implementation, hey, who makes this easy to get started, okay, don't talk nonsense, now I start to say if you write generic SQL anti-injection programs general HTTP requests are nothing more than get and Post, so as long as we filter all the parameters in the post or GET request in the file to the illegal characters, so we implement HTTP request information filtering can be judged by the SQL injection attack.
The GET request that IIS passes to Asp.dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", Separate the data in each array so that get is intercepted as follows:
First we define that the request cannot contain the following characters:

|and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare


Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:

Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring <> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write " "
Response.End
End If
Next
Next
End If


This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:

If request.form <> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 Then
Response.Write " "
Response.End
End If
Next
Next
End If


All right, we've implemented the GET and POST request information interception, and you just need to refer to this page before opening the database file like conn.asp. Rest assured that you continue to develop your program, regardless of whether you will be subjected to SQL injection attacks. Isn't it?



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.