General Anti-SQL Injection code ASP Edition
Code
Dim SQL _injdata
SQL _injdata = "'| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
'Response. Write (Request. QueryString)
Response. Write "<Script> alert! '); History. back (-1) </Script>"
Response. end
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
'Response. Write (Request. Form)
Response. Write "<Script> alert! '); History. back (-1) </Script>"
Response. end
End if
Next
Next
End If
Sss = LCase (request. servervariables ("QUERY_STRING "))
If instr (sss, "select") <> 0 or instr (sss, "inster") <> 0 or instr (sss, "delete ") <> 0 or instr (sss, "(") <> 0 or instr (sss, "'or") <> 0 then
Response. write "<BR> <center> your website is invalid"
Response. end
End if
StrTemp = request. servervariables ("server_name") & request. servervariables ("url ")&"? "& Request. QueryString
StrTemp = LCase (StrTemp)
If Instr (StrTemp, "select % 20") or Instr (StrTemp, "insert % 20") or Instr (StrTemp, "delete % 20 from") or Instr (StrTemp, "count (") or Instr (StrTemp, "drop % 20 table") or Instr (StrTemp, "update % 20") or Instr (StrTemp, "truncate % 20 ") or Instr (StrTemp, "asc (") or Instr (StrTemp, "mid (") or Instr (StrTemp, "char (") or Instr (StrTemp, "xp_{shell ") or Instr (StrTemp, "exec % 20 master") or Instr (StrTemp, "net % 20 localgroup % 20 administrators") or Instr (StrTemp, "net % 20 user ") or Instr (StrTemp, "% 20or % 20") or Instr (StrTemp, "'") or Instr (StrTemp, "% 20") or Instr (StrTemp, ") or Instr (StrTemp,": ") or Instr (StrTemp ,": ") or Instr (StrTemp,"; ") or Instr (StrTemp,"; ") or Instr (StrTemp,", ") or Instr (StrTemp ,",") or Instr (StrTemp, "% 27") then
Response. Write "<script language = 'javascript '> alert ('invalid operation! Return now! '); History. back (); </script>"
Response. end
End If