Asp SQL Injection Protection Program

Source: Internet
Author: User
Tags sql injection protection


Writing General SQL anti-injection programs generally involves http requests like get and post, so we only need to filter out invalid characters in the parameter information of all post or get requests in the file, therefore, we can filter http request information to determine whether it is being attacked by SQL injection.
IIS passed to asp. dll get requests are in the form of strings, when passed to the Request. after QueryString data, the asp parser analyzes the Request. queryString information, and then separate the data in each array according to "&", so the get interception is as follows:
First, we define that the request cannot contain the following characters:

| And | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare

The characters are separated by "|", and then the Request. QueryString is determined. The specific code is as follows:

Dim SQL _injdata
SQL _injdata = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert !); History. back (-1) </Script>"
Response. end
End if
End If

In this way, we implement the get request injection interception, but we also need to filter the post request, so we have to continue to consider the request. form, which also exists in the form of an array. We only need to make another round-robin judgment. The Code is as follows:

If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert! NnHTTP: //; history. back (-1) </Script>"
Response. end
End if
End if

We have implemented information interception for get and post requests. You only need to reference this page before opening database files such as conn. asp. Rest assured that you will continue to develop your program, and you do not have to consider whether or not you will be vulnerable to SQL injection attacks.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.