Special character processing for data verification

Pay enough attention to special characters such as quotation marks and angle brackets that may be entered by users, which may cause serious security problems. One of the basic methods of SQL injection is to use the security vulnerability that does not filter single quotes.
User input is nothing more than two purposes: to perform database operations or display on the page, The following describes the processing of special characters in these two cases respectively.
1. Database operations
When the data you enter is used to operate the database, it can be divided into two types: write database operations and query conditions.
1.1 write database operations
(Insert and update are both considered as write operations. If insert is used as an example, the update process is the same)
Generally, the insert statement or the AddNew method are used for database write operations. Let's look at the insert statement first:
     
DIM username, sqlstr
Username = trim (Request. Form ("uname "))
Sqlstr = "insert into [userinfo] (username) values ('" & username &"')"
Take SQL Server as an example. If the username contains single quotation marks ('), an error occurs when writing the database in this way. Use the following custom function to convert single quotes:
Invalid characters in Rem conversion SQL
Function SQLEncode (fString)
If isnull (fString) then
SQLEncode = ""
Exit function
End if
SQLEncode = replace (fString ,"'","''")
End function
The above function converts a single quotes into two consecutive single quotes, which can be accepted by the database and written in one single quotes. Change the SQL statement:
Sqlstr = "insert into [userinfo] (username) values ('" & SQLEncode (username )&"')"
Let's take a look at the AddNew method:
DIM username
Username = trim (Request. Form ("uname "))