Asp SQL anti-injection new method, without monitoring injection characters

Source: Internet
Author: User

The principle is simple. There are only a few character types in the database. We usually use numeric values, strings, and time. We generally use numeric values and strings for queries. The string Query format is where field = 'query condition', which cannot be injected here, because a single quotation mark is added here, and the query condition is converted to the string type, rather than a valid SQL statement. The injection vulnerability exists in the query condition without single quotation marks, that is, the numerical query condition. Here, the Query format is where field = the query condition does not have single quotation marks, and the injection vulnerability occurs. Next, we will fix this vulnerability. The traditional method is to shield injection characters, but it causes a lot of inconvenience. Now I will teach you two new methods. 1. Add single quotation marks: the Query format is changed to where cstr (field) = 'query condition'. Here, the content to be queried in the database is converted to a string, so single quotation marks must be added at the end, injection is prevented here. 2. First, check the type of the query condition: Use the isnumeric () function to check whether it is a numeric value. If it is executed again, perform database operations. All strings are eliminated here, not to mention injecting characters. I hope it will help you. Continued: The where field = query condition in the numeric query in the database query. No single quotation marks are allowed here, unless in this case where cstr (field) = 'query condition 'method 1. Let's talk about it, I think it seems a problem. Issue 2 I think is feasible. Method 1: I thought of it temporarily. I found it for a while, and I am using it. It is very good.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.