In general, through the above two functions of the above, you can eliminate the SQL injection attacks on the internet! If you feel the need, you can add a replacement for Chr (0), and replace the Tosql function with the following:
Function Tosql (str)
If IsNull (str) Then str = ""
str = replace (str, CHR (0), "")
Tosql = replace (str, "" "," "")
End Function
Another note:
***********************************************************************
To detect externally committed functions
Function Checkurlrefer ()
Dim Strlocalurl, Inturllen, Strurlrefer
Strlocalurl = "http://127.0.0.1"
Inturllen = Len (Strlocalurl)
Strurlrefer = LCase (Request. ServerVariables ("Http_referer") & "")
"Detect if the previous page is from Strlocalurl
If left (strurlrefer, inturllen) = Strlocalurl Then
Checkurlrefer = True
Else
Checkurlrefer = False
End If
End Function
***********************************************************************
This function can help you withstand external SQL injection testing, only to be called on the head of the page.
With simple two small functions, make your ASP program more secure!
Welcome to correct (please write out the way to bypass these two functions)!
Related discussion page:
http://community.csdn.net/Expert/TopicView.asp?id=3585010
http://community.csdn.net/Expert/TopicView.asp?id=3582230
Of course, this method is too "absolutely", but I also have no way ah. This method is seen on the internet, running on a website, and now everything is fine. I can only do this for security. I think as long as the sensitive words about SQL filter out should have nothing, of course, like the landlord to do that step is basically OK, you can repair the use. Remember that I originally used the "SQL into the Bible," the precautionary approach provided above, and later to switch to this.
I used to post the Code also for reference, we are interested can go to Baidu or Google search in the "SQL into the Bible" understand
Use this function to validate the data submitted by the client ...
<%
Function Saferequest (Paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-numeric (1 indicates that the above parameter is a number, and 0 indicates that the above parameter is a character)
Dim Paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (paravalue) Then
Response.Write "Parameter" & Paraname & must be a numeric type! "
Response.End
End If
Else
Paravalue=replace (Paravalue, "" "," "")
End If
Saferequest=paravalue
End Function%>
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.