Easyasp v2.2 Introduction to new Features (1): How to implement SQL injection easp

Source: Internet
Author: User
Tags date how to prevent sql injection implement new features sql injection

Easyasp finally to v2.2, is still improving the handbook, the group has a lot of people ask how to use the problem, so it is intended to write a manual at the same time to write some new features introduced to facilitate the use of easp children's shoes quickly into the state. To tell the truth, see so many people still write ASP, still support easp, feel very rare, so also has not dropped the development of easp, or hope that easp can give the last asper a little help.

Easyasp v2.2 change is bigger, give up a lot of original I think bad use of method, of course, more is joined a lot of I think will use very fart new function. This is the first article in this series, ready to talk about how easyasp is guarding against SQL injection.

Speaking of anti-SQL injection, we are sure to express their views, this article is not intended to make in-depth discussion, I will say from this perspective easyasp v2.2 is how to prevent SQL injection.

1. Find the injection point

First, let's look at where the ASP can get an injection opportunity (based on VBScript below). To use ASP to get the data that the user can enter, this is the three aspects:

Request.QueryString
Request.Form
Request.Cookies

If your program does not deal with the data obtained through the request directly in the concatenation of the SQL statements, it is basically impossible to avoid the production of SQL injection. So, the value that participates in the SQL concatenation must be processed beforehand, but how to deal with?

2. Processing injected characters

In the light of the conclusions given in the last article I would like to agree on, it is easy to understand how to handle these data that might be injected:

(1) For string-type data, handle one of the single quotes, swapping one single quote for two single quotes;

(2) For numerical data, verify that it is a number;

(3) For date-type data, verify that it is a date type.

Therefore, the ASP's anti-injection should be in the concatenation of SQL before the data obtained through the 1th by the 2nd method of cross processing, and return can be correctly executed in the SQL statements in the string.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.