Two small functions allow your ASP program to inject immunity into SQL! _ Trojan Related

Source: Internet
Author: User
Tags chr numeric servervariables sql injection
Rem # Long Integer Conversion
Function Tonum (s, default)
If IsNumeric (s) and S <> "" Then
Tonum = CLng (s)
Else
Tonum = Default
End If
End Function

REM # SQL Statement conversions
Function Tosql (str)
If IsNull (str) Then str = ""
Tosql = replace (str, "" "," "")
End Function

Example:
Dim SQL
Dim strwhere, StrName, IntAge
StrName = Tosql (Request ("user"))
IntAge = Tonum (Request ("age"), 20)
sql = "SELECT * FROM [USER]" & _
"WHERE [age] >" & strName & _
"and [USERNAME] = '" & IntAge & "" "

In general, through the above two functions of the above, you can eliminate the SQL injection attacks on the internet! If you feel the need, you can add a replacement for Chr (0), and replace the Tosql function with the following:
Function Tosql (str)
If IsNull (str) Then str = ""
str = replace (str, CHR (0), "")
Tosql = replace (str, "" "," "")
End Function

Another note:

***********************************************************************
To detect externally committed functions
Function Checkurlrefer ()
Dim Strlocalurl, Inturllen, Strurlrefer
Strlocalurl = "http://127.0.0.1"
Inturllen = Len (Strlocalurl)
Strurlrefer = LCase (Request. ServerVariables ("Http_referer") & "")
"Detect if the previous page is from Strlocalurl
If left (strurlrefer, inturllen) = Strlocalurl Then
Checkurlrefer = True
Else
Checkurlrefer = False
End If
End Function
***********************************************************************
This function can help you withstand external SQL injection testing, only to be called on the head of the page.

With simple two small functions, make your ASP program more secure!

Welcome to correct (please write out the way to bypass these two functions)!

Related discussion page:
http://community.csdn.net/Expert/TopicView.asp?id=3585010
http://community.csdn.net/Expert/TopicView.asp?id=3582230

http://community.csdn.net/Expert/topic/3589/3589480.xml?temp=.4866449
/////////////////////////////////////////////////////////////////////////////////////////////////////////////

Dim qs,errc,iii
Qs=request.servervariables ("Query_string")
Dim Nothis (18)
Nothis (0) = "NET user"
Nothis (1) = "xp_cmdshell"
Nothis (2) = "/add"
Nothis (3) = "Exec%20master.dbo.xp_cmdshell"
Nothis (4) = "Net localgroup Administrators"
Nothis (5) = "Select"
Nothis (6) = "Count"
Nothis (7) = "ASC"
Nothis (8) = "char"
Nothis (9) = "Mid"
Nothis (10) = "'"
Nothis (11) = ":"
Nothis (12) = "" "
Nothis (+) = "Insert"
nothis = "Delete"
Nothis = "Drop"
Nothis = "Truncate"
Nothis (a) = "from"
Nothis (18) = "%"
Errc=false
For iii= 0 To UBound (nothis)
If InStr (Qs,nothis (iii)) <>0 then
Errc=true
End If
Next
If ERRC Then
Response.Write ("Sorry, illegal URL address request!")
Response.End
End If

***************************************************************

Of course, this method is too "absolutely", but I also have no way ah. This method is seen on the internet, running on a website, and now everything is fine. I can only do this for security. I think as long as the sensitive words about SQL filter out should have nothing, of course, like the landlord to do that step is basically OK, you can repair the use. Remember that I originally used the "SQL into the Bible," the precautionary approach provided above, and later to switch to this.
I used to post the Code also for reference, we are interested can go to Baidu or Google search in the "SQL into the Bible" understand

Use this function to validate the data submitted by the client ...

<%
Function Saferequest (Paraname,paratype)
'---incoming parameters---
' Paraname: Parameter name-character type
' Paratype: Parameter Type-numeric (1 indicates that the above parameter is a number, and 0 indicates that the above parameter is a character)

Dim Paravalue
Paravalue=request (Paraname)
If Paratype=1 Then
If not IsNumeric (paravalue) Then
Response.Write "Parameter" & Paraname & must be a numeric type! "
Response.End
End If
Else
Paravalue=replace (Paravalue, "" "," "")
End If
Saferequest=paravalue
End Function%>
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.