SQL Injection has been played by so-called cainiao-level hackers and finds that most of today's hacker intrusions are implemented based on SQL injection. Well, who makes it easy to get started, now, if I write a general SQL anti-injection program, HTTP requests are similar to get and post requests, therefore, we only need to filter out invalid characters in the parameter information of all post or get requests in the file. Therefore, we can filter the HTTP request information to determine whether the request is being attacked by SQL injection.
IIS passed to ASP. dll get requests are in the form of strings, when passed to the request. after querystring data, the ASP parser analyzes the request. querystring information, and then separate the data in each array according to "&", so the get interception is as follows:
First, we define that the request cannot contain the following characters:
'And exec insert Select Delete update count * % CHR mid master truncate char declare |
Each character is separated by "", and then we determine the obtained request. querystring. The specific code is as follows:
Dim SQL _injdata SQL _injdata = "'and exec insert Select Delete update count * % CHR mid master truncate char declare" SQL _inj = Split (SQL _injdata ,"") If request. querystring <> "then For each SQL _get in request. querystring For SQL _data = 0 to ubound (SQL _inj) If instr (request. querystring (SQL _get), SQL _inj (SQL _data)> 0 then Response. Write "<script language = ***> alert! '); History. Back (-1) </SCRIPT>" Response. End End if Next Next End if |
In this way, we implement the GET request injection interception, but we also need to filter the POST request, so we have to continue to consider the request. form, which also exists in the form of an array. We only need to make another round-robin judgment. The Code is as follows:
If request. Form <> "" then For each SQL _post in request. Form For SQL _data = 0 to ubound (SQL _inj) If instr (request. Form (SQL _post), SQL _inj (SQL _data)> 0 then Response. Write "<script language = ***> alert! Nnhttp: // www.521movie.com '); history. Back (-1) </SCRIPT>" Response. End End if Next Next End if |
Now, we have implemented information interception for get and post requests. You only need to reference this page before opening database files such as Conn. asp. Rest assured that you will continue to develop your program, and you do not have to consider whether or not you will be vulnerable to SQL injection attacks. Isn't it?