Easyasp finally to v2.2, is still improving the handbook, the group has a lot of people ask how to use the problem, so it is intended to write a manual at the same time to write some new features introduced to facilitate the use of easp children's shoes quickly into the state. To tell the truth, see so many people still write ASP, still support easp, feel very rare, so also has not dropped the development of easp, or hope that easp can give the last asper a little help.
Easyasp v2.2 change is bigger, give up a lot of original I think bad use of method, of course, more is joined a lot of I think will use very fart new function. This is the first article in this series, ready to talk about how easyasp is guarding against SQL injection.
Speaking of anti-SQL injection, we are sure to express their views, this article is not intended to make in-depth discussion, I will say from this perspective easyasp v2.2 is how to prevent SQL injection.
1. Find the injection point
First, let's look at where the ASP can get an injection opportunity (based on VBScript below). To use ASP to get the data that the user can enter, this is the three aspects:
Request.QueryString
Request.Form
Request.Cookies
If your program does not deal with the data obtained through the request directly in the concatenation of the SQL statements, it is basically impossible to avoid the production of SQL injection. So, the value that participates in the SQL concatenation must be processed beforehand, but how to deal with?
2. Processing injected characters
In the light of the conclusions given in the last article I would like to agree on, it is easy to understand how to handle these data that might be injected:
(1) For string-type data, handle one of the single quotes, swapping one single quote for two single quotes;
(2) For numerical data, verify that it is a number;
(3) For date-type data, verify that it is a date type.
Therefore, the ASP's anti-injection should be in the concatenation of SQL before the data obtained through the 1th by the 2nd method of cross processing, and return can be correctly executed in the SQL statements in the string.