Malicious injection of code into databases is a critical issue. The main methods include: using program vulnerabilities, you can use a program to test them, it is mainly reflected that illegal characters are not filtered in some forms submitted by the front-end! So how can we prevent injection? (Here only for asp + MSSQL)
First, add a filter function to the program to prevent injection:
Detect non-characters
SQL _injdata = "| exec | insert | delete | set | char | mid (| asc (| cast | declare | exec | varchar | <script | iframe | 3bomb | c. js"
SQL _inj = split (SQL _Injdata, "| ")
Detect GET
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (lcase (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. write "the input is invalid. The database rejects some special characters! "
Response. end
End if
Next
Next
End If
Detect POST
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (lcase (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. write "the input is invalid. The database rejects some special characters! "
Response. end
End if
Next
Next
End if
Cookie Detection
If Request. Cookies <> "" Then
For Each SQL _Cookie In Request. Cookies
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (lcase (Request. Cookies (SQL _Cookie), SQL _Inj (SQL _DATA)> 0 Then
Response. write "the input is invalid. The www.2cto.com database rejects some special characters! "
Response. end
End if
Next
Next
End if
In this way, the vulnerability in data submission is basically blocked !! Judging from three aspects, illegal characters that directly request data and form submission or cookies submit data will be filtered out!
Dim server_v1, server_v2
Server_v1 = Cstr (Request. ServerVariables ("HTTP_REFERER "))
If server_v1 <> "then
If instr (server_v1, "3 bomb")> 0 then
Response. write "<br> <center> <table border = 1 cellpadding = 20 bordercolor = black bgcolor = # EEEEEE width = 450>"
Response. write "<tr> <td style = font: 9pt Verdana>"
Response. write "the submitted path is incorrect. Do not submit data from outside the site. Please do not confuse this parameter! "
Response. write "</td> </tr> </table> </center>"
Response. end
End if
Else
Server_v1 = Cstr (Request. ServerVariables ("SERVER_NAME "))
End if
Server_v2 = Cstr (Request. ServerVariables ("SERVER_NAME "))
If instr (server_v1, "3 bomb")> 0 instr (server_v2, "3 bomb")> 0 then
Response. write "<br> <center> <table border = 1 cellpadding = 20 bordercolor = black bgcolor = # EEEEEE width = 450>"
Response. write "<tr> <td style = font: 9pt Verdana>"
Response. write "the submitted path is incorrect. Do not submit data from outside the site. Please do not confuse this parameter! "
Response. write "</td> </tr> </table> </center>"
Response. end
End if
The program first obtains the source of access to your website. If it comes from an illegal Domain Name 3 bomb that you know, it will not be allowed to access it.
This completes the shielding of a specified domain name. This domain name is very likely to be a mom program!
Prohibit some ip addresses from accessing ---------------------
If instr (Request. ServerVariables ("REMOTE_ADDR"), "209.172.33")> 0 then
Response. Write "Access Denied"
Response. End ()
End if
If the access source is an ip address segment, it is blocked.
These three tricks ensure that your database will not be disturbed by injection in the future, and your personal experience will be appreciated.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
