ASP, secure write database operation, read out and display on different occasions

Source: Internet
Author: User
Tags exit chr sql string trim
Security | data | database | display | security

For example, there is a styledesc this field, the data requires 50-bit, char, can only limit his 50-bit, other unrestricted,
You can enter any character. As long as it's char, it's OK as long as the database allows it.

In this way, the safe write to the database operation, normal read out and display in different occasions, the application.

How should it be done?

Here are some of the points I have summed up. Very likely wrong, please correct me.
If the input to the user can be any character (except for a specific input restriction for a field, such as input length, input type = =).
is to input as much as possible without restriction.

For a string of STR, he outputs the following kinds of directions:
1. Output to HTML, Function fn_chk_to_html (STR)
2. Output to script (e.g. JavaScript), Function Fn_chk_to_script (STR)
3. Output to the SQL statement, and this SQL statement is used to enclose the string str with ' two single quotes.
Function Fn_chk_to_sql_mark (STR)
4. Output to SQL statements, and this SQL statement does not enclose Str in a single quote. Function Fn_chk_to_sql_go (str)
5. Output to URL. Function Fn_chk_to_url (STR)

<%function fn_chk_to_html (Str)
' such as <input text= ' <%=request ("Styledesc")%> ">
 if Isnull (str) Then
  Chksql = "
  Exit Function
 end If
 str = Trim (str)
 str = Re Place (str, CHR (0), "", 1,-1,1)
 str = replace (str, "" ",", "", 1,-1,1)
 str = replace (str, "", "", 1,-1,1)
 str = replace (str, "<", "<", 1,-1,1)
 str = replace (str, ">", ">", 1,-1,1)
 str = Replace (str, VBCRLF, "<br>", 1,-1,1)
 fn_chk_to_html = str
End Function
%>

<%function fn_chk_to_script (Str)
' Like Response.Write ' <script>alert (' &request ' Styledesc) & "');</script>
 if Isnull (Str) Then
  Chksql ="
  Exit Function
 end If
 str = Trim (str)
&NBSP;STR = replace (str, "\", "\ \", 1,-1,1)
 str = replace (str, "" "", "\" ", 1,-1,1) BR>&NBSP;STR = replace (Str, "'", "\", 1,-1,1)
 str = replace (STR,CHR, \ n, 1,-1,1)
 fn_chk_to_ Script = Str
End Function
%>
<%
Function Fn_chk_to_sql_mark (Str)
' like sql= ' select * from Style where Styledesc like ' &request ("Styledesc") & "'"
 if Isnull (Str) Then
  Chksql = ""
  Exit Function
 end If
 str = Trim (str)
 str = Replace (str, "'", "'", 1,-1,1)
 fn_chk_ To_sql_mark = Str
End Function
%>

<%function Fn_chk_to_sql_go (STR)
"such as SQL =" SELECT * from "&request (" table ").
If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
str = Replace (str, CHR (0), "", 1,-1,1)
str = Replace (str, "" "", "", 1,-1,1)
str = Replace (str, "'", "'", 1,-1,1)
str = Replace (str, "<", "<", 1,-1,1)
str = Replace (str, ">", ">", 1,-1,1)
str = Replace (str, "[", "[", 1,-1,1)
str = Replace (str, "]", "]", 1,-1,1)
str = Replace (str, "\", "\", 1,-1,1)
str = Replace (str, "*", "*", 1,-1,1)
str = Replace (str, "%", "%", 1,-1,1)
str = Replace (str, ";", ";", 1,-1,1)
str = Replace (str, VBCRLF, "<br>", 1,-1,1)
str = Replace (str, "--", "--")
Fn_chk_to_sql_go = Str
End Function
%>


<%function Fn_chk_to_url (STR)

' such as str= ' If Isnull (STR) Then
Chksql = ""
Exit Function
End If
str = Trim (str)
STR = Server. UrlEncode (STR)
Fn_chk_to_sql_mark = Str
End Function
%>




Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.