When I'm going to get a numeric variant of STR
Value=saferequest ("str", 1,0)
To get the value in the parameter str, and to make a numeric judgment, which is not numeric or empty, value equals 0, otherwise, value equals the values of request ("str").
function Saferequest (paraname,paratype,lenlimit)
Dim paravalue
Paravalue = Trim (Request (Paraname))
If Paratype = 1 Then
If IsNull (Paravalue) or (not IsNumeric (paravalue)) Then
Paravalue = Lenlimit
End If
Else
If IsNull (Paravalue) Then
Paravalue = ""
Else
Dim Strbadchar, Arrbadchar, Tempchar, I
Strbadchar = "+, ',--, ^," & Chr & "," & Chr (0) & ""
Arrbadchar = Split (Strbadchar, ",")
Tempchar = Paravalue
For i = 0 To UBound (Arrbadchar)
Tempchar = replace (Tempchar, Arrbadchar (i), "")
Next
Tempchar = replace (Tempchar, "@@", "@")
If Lenlimit <>-1 Then
Tempchar = Left (tempchar,lenlimit)
End If
Paravalue = Tempchar
End If
End If
Saferequest = Paravalue
End Function
How to use:
When I'm going to get a character type variable str
Value=saferequest ("str", 0,50)
Gets the value in the parameter str, gets only the first 50 characters, exceeds the loss, and filters those special symbols.
Method Two
function Saferequest (paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-numeric (1 indicates that the above parameter is a number, and 0 indicates that the above parameter is a character)
Dim paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (Paravalue) Then
Response.Write "Parameter" & Paraname & must be a numeric type! "
Response.End
End If
Else
Paravalue=replace (Paravalue, "'", "" ")
End If
Saferequest=paravalue
End Function
Method Three
Generic SQL anti-injection programs general HTTP requests are nothing more than get and post, so as long as we filter all the illegal characters in the parameter information in the post or GET request in the file, we can use the HTTP request information filtering to determine if the SQL injection attack is being done.
The GET request that IIS passes to the ASP tutorial. dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", The data in each array is divided so that the intercept of Get is as follows:
First we define that the request cannot contain the following characters:
Reference:
------------------------------------ --------------------------------------------
|and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare
------------------------------------------------------------ --------------------
Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:
Reference:
------------------------------------------------ --------------------------------
Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If Request.QueryString <> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to UBound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write " "
Response.End
End If
Next
Next
End If
--------------------------------------------------------------------------------
This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:
Reference:
--------------------------------------------------------------------------------
if Request.Form <> "then
for all sql_post in Request.Form
for sql_data=0 to UBound (Sql_inj
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 then
Response.Write "
Response.End
End If
Next
Next
End If