Writing General SQL anti-injection programs generally involves http requests like get and post, so we only need to filter out invalid characters in the parameter information of all post or get requests in the file, therefore, we can filter http request information to determine whether it is being attacked by SQL injection.
IIS passed to asp. dll get requests are in the form of strings, when passed to the Request. after QueryString data, the asp parser analyzes the Request. queryString information, and then separate the data in each array according to "&", so the get interception is as follows:
First, we define that the request cannot contain the following characters:
| And | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare
The characters are separated by "|", and then the Request. QueryString is determined. The specific code is as follows:
Dim SQL _injdata
SQL _injdata = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert !); History. back (-1) </Script>"
Response. end
End if
Next
Next
End If
In this way, we implement the get request injection interception, but we also need to filter the post request, so we have to continue to consider the request. form, which also exists in the form of an array. We only need to make another round-robin judgment. The Code is as follows:
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert! NnHTTP: // www.521movie.com); history. back (-1) </Script>"
Response. end
End if
Next
Next
End if
We have implemented information interception for get and post requests. You only need to reference this page before opening database files such as conn. asp. Rest assured that you will continue to develop your program, and you do not have to consider whether or not you will be vulnerable to SQL injection attacks.