Rem # Long Integer Conversion
Function tonum (S, default)
If isnumeric (s) and S <> "then
Tonum = clng (s)
Else
Tonum = default
End if
End Function
Rem # SQL statement Conversion
Function tosql (STR)
If isnull (STR) Then STR = ""
Tosql = Replace (STR ,"''","''''")
End Function
Example:
Dim SQL
Dim strwhere, strname, intage
Strname = tosql (Request ("user "))
Intage = tonum (Request ("Age"), 20)
SQL = "select * from [user]" & _
"Where [age]>" & strname &_
"And [username] ='' "& intage &"''"
In general, the above two functions can be used to prevent online SQL injection attacks! If you need it, you can replace CHR (0) and change the tosql function as follows:
Function tosql (STR)
If isnull (STR) Then STR = ""
STR = Replace (STR, CHR (0 ),"")
Tosql = Replace (STR ,"''","''''")
End Function
Note:
**************************************** *******************************
Checks externally submitted functions.
Function checkurlrefer ()
Dim strlocalurl, inturllen, strurlrefer
Strlocalurl = "http: // 127.0.0.1"
Inturllen = Len (strlocalurl)
Strurlrefer = lcase (request. servervariables ("http_referer ")&"")
''Check whether the previous page is from strlocalurl
If left (strurlrefer, inturllen) = strlocalurl then
Checkurlrefer = true
Else
Checkurlrefer = false
End if
End Function
**************************************** *******************************
This function can help you resist external SQL injection tests. You only need to call this function in the header of the page.
Let your aspProgramSafer!
Thank you for your attention. (Please write out the methods that bypass these two functions )!
Related discussion page:
Http://community.csdn.net/Expert/TopicView.asp? Id = 3585010
Http://community.csdn.net/Expert/TopicView.asp? Id = 3582230
Http://community.csdn.net/Expert/topic/3589/3589480.xml? Temp =. 4866449.
//////////////////////////////////////// //////////////////////////////////////// /////////////////////////////
Dim QS, ERRC, III
Qs = request. servervariables ("QUERY_STRING ")
Dim nothis (18)
Nothis (0) = "Net user"
Nothis (1) = "xp_mongoshell"
Nothis (2) = "/Add"
Nothis (3) = "Exec % 20master. DBO. xp_mongoshell"
Nothis (4) = "net localgroup Administrators"
Nothis (5) = "select"
Nothis (6) = "count"
Nothis (7) = "ASC"
Nothis (8) = "char"
Nothis (9) = "mid"
Nothis (10) = "''"
Nothis (11) = ":"
Nothis (12) = """"
Nothis (13) = "insert"
Nothis (14) = "delete"
Nothis (15) = "Drop"
Nothis (16) = "truncate"
Nothis (17) = "from"
Nothis (18) = "%"
ERRC = false
For IIi = 0 to ubound (nothis)
If instr (QS, nothis (III) <> 0 then
ERRC = true
End if
Next
If ERRC then
Response. Write ("sorry, illegal URL request! ")
Response. End
End if
**************************************** ***********************
Of course, this method is too "absolutely", but I cannot. This method is seen on the internet, running on a website, and now everything is good. I can only do this for security purposes. I think it should be okay to filter out all sensitive SQL words. Of course, it is basically okay for the landlord to do that. You can fix it and use it. I remember that I used the prevention method provided in "SQL Injection tianshu" and later switched to this method.
I usedCodeAlso posted for reference. If you are interested, you can search Baidu or Google for "SQL Injection tianshu ".
Use this function to verify the data submitted by the client...
<%
Function saferequest (paraname, paratype)
''--- Input parameters ---
''Paraname: parameter name-parameter type
''Paratype: parameter type-number type (1 indicates that the preceding parameter is a number, and 0 indicates that the preceding parameter is a character)
Dim paravalue
Paravalue = request (paraname)
If paratype = 1 then
If not isnumeric (paravalue) then
Response. Write "parameter" & paraname & "must be numeric! "
Response. End
End if
Else
Paravalue = Replace (paravalue ,"''","''''")
End if
Saferequest = paravalue
End function %>