Home > Developer > ASP

ASP Web page anti-SQL Injection code

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

 

Reference content is as follows:
<%
Dim fy_url, fy_a, fy_x, fy_cs (), fy_cl, fy_ts, fy_zx
'--- Define partial headers ------
Fy_cl = 1' Processing Method: 1 = prompt message, 2 = redirect page, 3 = Prompt before redirect
Fy_zx = "index. asp" 'page to be switched when an error occurs
'--- Define the end of part ------

On Error resume next
Fy_url = request. servervariables ("QUERY_STRING ")
Fy_a = Split (fy_url ,"&")
Redim fy_cs (ubound (fy_a ))
On Error resume next
For fy_x = 0 to ubound (fy_a)
Fy_cs (fy_x) = left (fy_a (fy_x), instr (fy_a (fy_x), "=")-1)
Next
For fy_x = 0 to ubound (fy_cs)
If fy_cs (fy_x) <> "" then
If instr (lcase (Request (fy_cs (fy_x), "'") <> 0 or instr (lcase (Request (fy_cs (fy_x), "select ") <> 0 or instr (lcase (Request (fy_cs (fy_x), "Update") <> 0 or instr (lcase (Request (fy_cs (fy_x ))), "CHR") <> 0 or instr (lcase (Request (fy_cs (fy_x), "Delete % 20 from ") <> 0 or instr (lcase (Request (fy_cs (fy_x), ";") <> 0 or instr (lcase (Request (fy_cs (fy_x ))), "insert") <> 0 or instr (lcase (Request (fy_cs (fy_x), "mid ") <> 0 or instr (lcase (Request (fy_cs (fy_x), "Master. ") <> 0 then
Select case fy_cl
Case "1"
Response. Write "<script language = JavaScript> alert ('error! The value of the parameter "& fy_cs (fy_x) &" contains an invalid string! \ N do not contain invalid characters such as: And, select, update, insert, delete, and CHR in the parameter! \ N I have already set SQL Injection failure. Please do not use illegal measures for me! '); Window. Close (); </SCRIPT>"
Case "2"
Response. Write "<script language = JavaScript> location. href = '" & fy_zx & "' </SCRIPT>"
Case "3"
Response. Write "<script language = JavaScript> alert ('error! The value of the parameter "& fy_cs (fy_x) &" contains an invalid string! \ N do not contain invalid characters such as:, And, select, update, insert, delete, and CHR in the parameter! \ N designed the door. illegal intrusion. Please leave. Thank you! '); Location. href =' "& fy_zx &" '; </SCRIPT>"
End select
Response. End
End if
End if
Next
%>

 

AboveCodeIt is used by many netizens. From the comments, the effect is remarkable.

Reference content is as follows:
Dim query_badword, form_badword, err_message, err_web, form_name

'------ Define some headers ----------------------------------------------------------------------

Err_message = 1' Processing Method: 1 = prompt message, 2 = redirect page, 3 = Prompt before redirect
Err_web = "Err. asp" 'page to be switched when an error occurs
Query_badword = "'' and ‖ select → update → CHR → Delete → % 20from→ insert → mid → master. → set → CHR (37) → ="
'The invalid GET parameter is defined in this part. Use the interval "‖".
Form_badword = "'' % ''&'' ** # ''@'' = ‖ select ‖ and ‖ set ‖ Delete "'illegal post parameters are defined in this section, and the interval between" ‖ "is used.

'------ Define part of the end -----------------------------------------------------------------------
'
On Error resume next
'----- Filter the get query value.
If request. querystring <> "then
Chk_badword = Split (query_badword ,"‖")
For each query_form_name in request. querystring
For I = 0 to ubound (chk_badword)
If instr (lcase (request. querystring (query_form_name), chk_badword (I) <> 0 then
Select case err_message
Case "1"
Response. Write "<script language = JavaScript> alert ('parameter passing error! The value of the parameter "& form_name &" contains an invalid string! \ N do not include invalid characters such as: and update Delete; insert mid master in the parameter! '); Window. Close (); </SCRIPT>"
Case "2"
Response. Write "<script language = JavaScript> location. href = '" & err_web & "' </SCRIPT>"
Case "3"
Response. Write "<script language = JavaScript> alert ('parameter passing error! The value of the parameter "& form_name &" contains an invalid string! \ N do not include invalid characters such as: and update Delete; insert mid master in the parameter! '); Location. href =' "& err_web &" '; </SCRIPT>"
End select
Response. End
End if
Next
Next
End if

'----- Filter the single value of the post table.
If request. Form <> "" then
Chk_badword = Split (form_badword ,"‖")
For each form_name in request. Form
For I = 0 to ubound (chk_badword)
If instr (lcase (request. Form (form_name), chk_badword (I) <> 0 then
Select case err_message
Case "1"
Response. Write "<script language = JavaScript> alert ('error! The value of Form "& form_name &" contains an invalid string! \ N do not contain invalid characters such as % & * # () in the form! '); Window. Close (); </SCRIPT>"
Case "2"
Response. Write "<script language = JavaScript> location. href = '" & err_web & "' </SCRIPT>"
Case "3"
Response. Write "<script language = JavaScript> alert ('error! The value of the parameter "& form_name &" contains an invalid string! \ N do not contain invalid characters such as % & * # () in the form! '); Location. href =' "& err_web &" '; </SCRIPT>"
End select
Response. End
End if
Next
Next
End if

 

The above is another version.

Reference content is as follows:
<%
Dim getflag REM (submission method)
Dim errorsql REM (invalid character)
Dim requestkey REM (submit data)
Dim fori REM (Cyclic mark)
Errorsql = "'~;~ And ~ (~)~ Exec ~ Update ~ Count ~ *~ % ~ CHR ~ Mid ~ Master ~ Truncate ~ Char ~ Declare "REM (use halfwidth for each sensitive character or word "~ "Gekai)
Errorsql = Split (errorsql ,"~ ")
If request. servervariables ("request_method") = "get" then
Getflag = true
Else
Getflag = false
End if
If getflag then
For each requestkey in request. querystring
For fori = 0 to ubound (errorsql)
If instr (lcase (request. querystring (requestkey), errorsql (fori) <> 0 then
Response. write "<SCRIPT> alert (" "Warning: \ n please do not try any" "); location. href = "" index. ASP ""; </SCRIPT>"
Response. End
End if
Next
Next
Else
For each requestkey in request. Form
For fori = 0 to ubound (errorsql)
If instr (lcase (request. Form (requestkey), errorsql (fori) <> 0 then
Response. write "<SCRIPT> alert (" "Warning: \ n please do not try any" "); location. href = "" index. ASP ""; </SCRIPT>"
Response. End
End if
Next
Next
End if
%>

 

put the above Code into the conn file. The function is comprehensive ......

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More