Prevention of SQL injection attacks in Dreamweaver

Dreamweaver + ASP Visual Programming threshold is very low, it is easy for beginners to get on the road. In a short period of time, new users often have been able to compile dynamic websites that seem to be perfect. In terms of functions, the experts can do the same, and the new users can do the same. Is there no difference between a novice and a veteran? The difference is big, but it is difficult for outsiders to see it at a glance. The friendliness, running performance, and website security of the interface are the three differences between the novice and the veteran.

In terms of security, the most common concern for new users is the SQL injection vulnerability. Using nbsi 2.0 to scan some asp websites on the Internet, you can find SQL Injection Vulnerabilities in many ASP websites.

The so-called SQL injection is to use programmers to check the legitimacy of user input data, such as lax detection or non-detection of design vulnerabilities, deliberately submit special code (SQL commands) from the client ), attackers can collect information about programs and servers and obtain desired information.

It can be seen that the main reason for successful SQL injection attacks is that the user's input data is not verified. You can dynamically generate SQL commands from the client.
Generally, HTTP requests are similar to get and post requests. Therefore, as long as we filter out invalid characters in the parameter information of all post or get requests in the program, we can prevent SQL injection attacks.

Unfortunately, DW does not provide the relevant code. Therefore, to prevent SQL injection attacks, you need to manually modify them,
You only need to save the following program as sqlinjection. asp, and then call it in the header of the page for anti-injection.
<! -- # Include file = "sqlinjection. asp" -->
To prevent page injection.

To enable full-site anti-injection, add a header call in the database connection file under the connections directory generated by DW or directly Add the following program code. Note that, when added to the database connection file, articles and other content may be added to the background form. In case of an SQL statement, the system will mistakenly mistake the SQL attack and prompt an error.

The general program code (derived from the network to make appropriate changes) is as follows:

<%
'-------- Definition section ------------------
Dim SQL _injdata
SQL _injdata = "'| and | exec | insert | select | Delete
| Update | count | * | % | CHR | mid | master | truncate | char
| Declare | 1 = 1 | 1 = 2 | ;"
SQL _inj = Split (SQL _injdata, "|"

'-------- Post part ------------------
If request. querystring <> "then
For each SQL _get in request. querystring
For SQL _data = 0 to ubound (SQL _inj)
If instr (request. querystring (SQL _get ),
SQL _inj (SQL _data)> 0 then
Response. Write "<script language = JavaScript>
Alert ('System prompts you! /N please do not include illegal characters in the parameter try to inject! /N/N'); window. Location = "&" '"&" index.htm "&"' "&"; </SCRIPT>"
Response. End
End if
Next
Next
End if

'-------- Get part -------------------
If request. Form <> "" then
For each SQL _post in request. Form
For SQL _data = 0 to ubound (SQL _inj)
If instr (request. Form (SQL _post), SQL _inj (SQL _data)> 0 then
Response. Write "<script language = JavaScript>
Alert ('System prompts you! /N please do not include illegal characters in the parameter try to inject! /N/N'); window. Location = "&" '"&" index.htm "&"' "&"; </SCRIPT>"
Response. End
End if
Next
Next
End if
%>

After passing through the program, you can effectively offset the dangerous sqlinjection submitted by getaskor postanalytics, and report to index.htm (homepage) after warning ).