Asp SQL injection protection program

 
SQL injection has been played by so-called Cainiao-level hackers. It is found that most of today's hacker intrusions are based on SQL injection. SQL injection has been played by so-called Cainiao-level hackers and finds that most of today's hacker intrusions are implemented based on SQL injection. Well, who makes it easy to get started, now, if I write a general SQL anti-injection program, http requests are similar to get and post requests, therefore, we only need to filter out invalid characters in the parameter information of all post or get requests in the file. Therefore, we can filter the http request information to determine whether the request is being attacked by SQL injection.
IIS passed to asp. dll get requests are in the form of strings, when passed to the Request. after QueryString data, the asp parser analyzes the Request. queryString information, and then separate the data in each array according to "&", so the get interception is as follows:
First, we define that the request cannot contain the following characters:
| And | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare
 
The characters are separated by "|", and then the Request. QueryString is determined. The specific code is as follows:
Dim SQL _injdata
SQL _injdata = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert! '); History. back (-1) </Script>"
Response. end
End if
Next
Next
End If
In this way, we implement the get request injection interception, but we also need to filter the post request, so we have to continue to consider the request. form, which also exists in the form of an array. We only need to make another round-robin judgment. The code is as follows:
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = ***> alert! NnHTTP: // www.521movie.com '); history. back (-1) </Script>"
Response. end
End if
Next
Next
End if
Now, we have implemented information interception for get and post requests. You only need to reference this page before opening database files such as conn. asp. Rest assured that you will continue to develop your program, and you do not have to consider whether or not you will be vulnerable to SQL injection attacks. Isn't it?