Comprehensive Defense: asp Website anti-hacker attack

Last Update:2013-11-21 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Asp is not the most vulnerable technology, but the prevention of hacker attacks. No matter how the attack is, the problem is solved through QueryString and form as long as the two points are well protected.
The following are some of my own code for your reference.

1. Prevent SQL attacks through querystring

A page that can be attacked by SQL is usually displayed on a page with a number parameter.

1. First, let's make a warning subprocess.

Sub-process function: error message prompt

Parameter description: errmsg Error Message description var processing method 1 return not refresh 2 return to previous page 3 close page

Public sub alarm (errmsg, var)

Response. Write ("")

Response. Write ("

Response. Write ("")

Response. Write ("Sorry for operation failure!

If the problem persists, please send us an error report

Response. Write ("possible causes of Operation Failure:

Response. Write ("")

Response. Write ("" & errmsg &"")

Response. Write ("

If var = 1 then

Response. Write ("")

Elseif var = 2 then

Response. Write ("")

Elseif var = 3 then

Response. Write ("")

End if

Response. Write ("

End Sub

2. Write a function to verify numbers.

Function: checks whether a number is valid.

Return Value: boolean

Public function isInteger (para)

If isnumeric (para) = false then isinteger = false

Dim str

Dim l, I

If isNUll (para) then

IsInteger = false

Exit function

End if

Str = cstr (para)

If trim (str) = "" then

IsInteger = false

Exit function

End if

L = len (str)

For I = 1 to l

If mid (str, I, 1)> "9" or mid (str, I, 1) <"0" then

IsInteger = false

Exit function

End if

IsInteger = true

End function

3. Write a process to verify whether the querysting parameter is a number.

Sub-process function to verify whether the parameter is a number

Parameter description: manage Processing Method: 1 = prompt information and close page, 2 = Turn to page, 3 = prompt first and then turn to the page when redi error occurs, str: Variable accepted for Detection

Public sub integerok (manage, redi, str)

If isinteger (str) = false then

Select case manage

Case 1

Response. Write ("")

Case 2

Response. Write ""

Case 3

Response. Write ""

End select

End if

End sub

4. Write a sub-process for qureystring overall verification

Parameter description: manage Processing Method: 1 = prompt information and close the page, 2 = Turn to page, 3 = prompt first and then turn to the page when a redi error occurs

Public sub saferush (manage, redi)

Dim my_Url, my_a, my_x, my_Cs (), my_Ts my_url: the transferred url my_a: Get the &-separated string array in the url

My_Url = Request. ServerVariables ("QUERY_STRING") my_x: interger my_cs () Dynamic Array

My_a = split (my_Url ,"&")

Redim my_Cs (ubound (my_a ))

On Error Resume Next

For my_x = 0 to ubound (my_a)

My_Cs (my_x) = left (my_a (my_x), instr (my_a (my_x), "=")-1)

For my_x = 0 to ubound (my_Cs)

If my_Cs (my_x) <> "" Then

If Instr (LCase (Request (my_Cs (my_x), "") <> 0 or Instr (LCase (Request (my_Cs (my_x), "and ") <> 0 or Instr (LCase (Request (my_Cs (my_x), "select") <> 0 or Instr (LCase (Request (my_Cs (my_x ))), "update") <> 0 or Instr (LCase (Request (my_Cs (my_x), "chr ") <> 0 or Instr (LCase (Request (my_Cs (my_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (my_Cs (my_x), ";") <> 0 or Instr (LCase (Request (my_Cs (my_x ))), "insert") <> 0 or Instr (LCase (Request (my_Cs (my_x), "mid ") <> 0 Or Instr (LCase (Request (my_Cs (my_x), "master. ") <> 0 Then

Select Case manage

Case "1"

Response. Write ""

Case "2"

Response. Write ""

Case "3"

Response. Write ""

End Select

Response. End

End If

End sub

The following is an example:

Suppose there is an asp.net/tech/admin_news_tg.asp? Class = 1 "> http://www.webasp.net/tech/admin_news_tg.asp? Class = 1 page

This can be prevented

Call saferush (2 ,"../")

Classid = Request. querystring ("classid ")

Call integerok (2, "../", classid)

Ii. Prevent form submission

Sub safeform (var)

Form_Badword = "percent % Percent & amp; percent * percent # percent @ percent (percent) percent =" This section defines invalid post parameters and uses the "percent" number to separate

On Error Resume Next

If request. form <> "" then

Chk_badword = split (form_Badword, "Baidu ")

For each name IN Request. form

For I = 0 to ubound (Chk_badword)

If Instr (LCase (request. form (name), Chk_badword (I) <> 0 Then

If var = 1 then

Response. Write ""

Elseif var = 2 then

Qczc. Err_List"

Error! The form you submitted contains invalid strings.

Do not contain invalid strings in the form.

In this process, we have recorded your IP address ", 1

End if

Response. End

End If

End if

End sub

You only need to add a statement to the header of the submitted form.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More