Two small functions make your ASP program immune to SQL injection!

Source: Internet
Author: User
Tags servervariables

Rem # Long Integer Conversion
Function tonum (S, default)
If isnumeric (s) and S <> "then
Tonum = clng (s)
Else
Tonum = default
End if
End Function

Rem # SQL statement Conversion
Function tosql (STR)
If isnull (STR) Then STR = ""
Tosql = Replace (STR ,"''","''''")
End Function

Example:
Dim SQL
Dim strwhere, strname, intage
Strname = tosql (Request ("user "))
Intage = tonum (Request ("Age"), 20)
SQL = "select * from [user]" & _
"Where [age]>" & strname &_
"And [username] ='' "& intage &"''"

In general, the above two functions can be used to prevent online SQL injection attacks! If you need it, you can replace CHR (0) and change the tosql function as follows:
Function tosql (STR)
If isnull (STR) Then STR = ""
STR = Replace (STR, CHR (0 ),"")
Tosql = Replace (STR ,"''","''''")
End Function

Note:

**************************************** *******************************
Checks externally submitted functions.
Function checkurlrefer ()
Dim strlocalurl, inturllen, strurlrefer
Strlocalurl = "http: // 127.0.0.1"
Inturllen = Len (strlocalurl)
Strurlrefer = lcase (request. servervariables ("http_referer ")&"")
''Check whether the previous page is from strlocalurl
If left (strurlrefer, inturllen) = strlocalurl then
Checkurlrefer = true
Else
Checkurlrefer = false
End if
End Function
**************************************** *******************************
This function can help you resist external SQL injection tests. You only need to call this function in the header of the page.

Let your aspProgramSafer!

Thank you for your attention. (Please write out the methods that bypass these two functions )!

Related discussion page:
Http://community.csdn.net/Expert/TopicView.asp? Id = 3585010
Http://community.csdn.net/Expert/TopicView.asp? Id = 3582230

Http://community.csdn.net/Expert/topic/3589/3589480.xml? Temp =. 4866449.
//////////////////////////////////////// //////////////////////////////////////// /////////////////////////////

Dim QS, ERRC, III
Qs = request. servervariables ("QUERY_STRING ")
Dim nothis (18)
Nothis (0) = "Net user"
Nothis (1) = "xp_mongoshell"
Nothis (2) = "/Add"
Nothis (3) = "Exec % 20master. DBO. xp_mongoshell"
Nothis (4) = "net localgroup Administrators"
Nothis (5) = "select"
Nothis (6) = "count"
Nothis (7) = "ASC"
Nothis (8) = "char"
Nothis (9) = "mid"
Nothis (10) = "''"
Nothis (11) = ":"
Nothis (12) = """"
Nothis (13) = "insert"
Nothis (14) = "delete"
Nothis (15) = "Drop"
Nothis (16) = "truncate"
Nothis (17) = "from"
Nothis (18) = "%"
ERRC = false
For IIi = 0 to ubound (nothis)
If instr (QS, nothis (III) <> 0 then
ERRC = true
End if
Next
If ERRC then
Response. Write ("sorry, illegal URL request! ")
Response. End
End if

**************************************** ***********************

Of course, this method is too "absolutely", but I cannot. This method is seen on the internet, running on a website, and now everything is good. I can only do this for security purposes. I think it should be okay to filter out all sensitive SQL words. Of course, it is basically okay for the landlord to do that. You can fix it and use it. I remember that I used the prevention method provided in "SQL Injection tianshu" and later switched to this method.
I usedCodeAlso posted for reference. If you are interested, you can search Baidu or Google for "SQL Injection tianshu ".

Use this function to verify the data submitted by the client...

<%
Function saferequest (paraname, paratype)
''--- Input parameters ---
''Paraname: parameter name-parameter type
''Paratype: parameter type-number type (1 indicates that the preceding parameter is a number, and 0 indicates that the preceding parameter is a character)

Dim paravalue
Paravalue = request (paraname)
If paratype = 1 then
If not isnumeric (paravalue) then
Response. Write "parameter" & paraname & "must be numeric! "
Response. End
End if
Else
Paravalue = Replace (paravalue ,"''","''''")
End if
Saferequest = paravalue
End function %>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.