SQL injection attacks are designed to exploit vulnerabilities, running SQL commands on the target server and other attacks dynamically generate SQL commands without verifying user input data is the main cause of the successful SQL injection attack.
For example:
If your query statement is 1 Select * From Admin Where Username = " & User & " And Password = " & PWD & ""
2
Then, if my user name is: 1 or 1 = 1
Then, your query statement will become: 1 Select * From Admin Where Username = 1 Or 1 = 1 And Password = " & PWD & ""
2
In this way, your query statements are passed and you can access your management interface.
Therefore, you need to check user input for defense purposes. Special characters, such as single quotes, double quotation marks, semicolons, commas, colons, and connection numbers, are converted or filtered.
Special characters and strings to be filtered include:
Net user
Xp_mongoshell
/Add
Exec master. DBO. xp_mongoshell
Net localgroup Administrators
Select
Count
ASC
Char
Mid
:
"
Insert
Delete from
Drop table
Update
Truncate
From
%
The following describes how to prevent injection attacks.CodeFor your reference!
Code for preventing SQL injection attacks in JS:
< Script Language = " Javascript " >
<! --
VaR URL = Location. search;
VaR Re =/^ \ ? (. * ) (Select % 20 | Insert % 20 | Delete % 20 from % 20 | Count \( | Drop % 20 table | Update % 20 truncate % 20 | ASC \( | Mid \( | Char \( | Xp_mongoshell | Exec % 20 Master | Net % 20 localgroup % 20 administrators | \ " |: | Net % 20user | \ | % 20or % 20) (. *) $/GI;
VaR E = Re. Test (URL );
If (e ){
Alert ( " The address contains invalid characters ~ " );
Location. href = " Error. asp " ;
}
// -->
<SCRIPT>
C # Check strings to prevent SQL injection attacks
This example is tentatively set to = and No.1 Bool Checkparams ( Params Object [] ARGs)
2 {
3 String [] Lawlesses = { " = " , "" };
4 If (Lawlesses = Null | Lawlesses. Length <= 0 ) Return True ;
5 // Create a regular expression. For example, if lawlesses is a = sign and a number, the regular expression is. * [=}]. * (for details about the regular expression, see msdn)
6 // In addition, because I want to make a general and easy-to-Modify function, I have to move one more step from a character array to a regular expression. In actual use, you can directly write a regular expression;
7
8
9 String Str_regex = " .*[ " ;
10 For ( Int I = 0 ; I < Lawlesses. Length - 1 ; I ++ )
11 Str_regex + = Lawlesses [I] + " | " ;
12 Str_regex + = Lawlesses [lawlesses. Length - 1 ] + " ]. * " ;
13 //
14 Foreach ( Object ARG In ARGs)
15 {
16 If (ARG Is String ) // If it is a string, directly check
17 {
18 If (RegEx. Matches (Arg. tostring (), str_regex). Count > 0 )
19 Return False ;
20 }
21 Else If (ARG Is Icollection) // If it is a set, check whether the element in the set is a string.
22 {
23 Foreach ( Object OBJ In (Icollection) Arg)
24 {
25 If (OBJ Is String )
26 {
27 If (RegEx. Matches (obj. tostring (), str_regex). Count > 0 )
28 Return False ;
29 }
30 }
31 }
32 }
33 Return True ;
34
35
Reprinted from: http://blog.csdn.net/zuoyefeng_com/archive/2007/05/23/1623368.aspx