Use the instr () function to prevent SQL injection attacks

Source: Internet
Author: User

Source: Tianji BLOG

I have been learning asp for some time. I have been writing my own program for the past few days and have encountered many problems. I have to consider some of the current vulnerabilities, for example, 'or and 1 = 1 and so on! Let's talk about how to block this vulnerability today!

I remember reading an article (I don't remember when I saw it). He used the instr function, which should be like this.

If instr (Request ("id"), "")> 0 or instr (Request ("id"), "")> 0 then response. redirect "index. asp"

Of course, you can also write what you want after then! Ignore this!

Let's first learn about the instr function:

Syntax

InStr ([start,] string1, string2 [, compare])

The syntax of the InStr function includes the following parameters:

Parameters Description
Start Optional. Value expression, used to set the start position of each search. If omitted, the search starts from the first character. If start contains Null, an error occurs. If the compare parameter is specified, the start parameter is required.
String1 Required. String expression to be searched.
String2
Required. The string expression to be searched.
Compare Optional. Indicates the value of the comparison type used to calculate the substring. For values, see "Settings. If omitted, binary comparison is executed.
The compare parameter can have the following values:
Constant Value description
VbBinaryCompare 0 performs binary comparison.
VbTextCompare 1 performs text comparison.

[Return value]

The InStr function returns the following values:

If InStr returns

String1 0 length 0

String1 is Null

String2 zero-length start

String2 is Null

String2 does not find 0

Find string2 in string1 and find the position matching the string

Start> Len (string2) 0

The following example uses InStr to search for strings:

Dim SearchString, SearchChar, MyPos
The string to be searched in SearchString = "XXpXXpXXPXXP.
SearchChar = "P" Search "P ".
MyPos = Instr (4, SearchString, SearchChar, 1) the text comparison starts from the fourth character and returns 6.
MyPos = Instr (1, SearchString, SearchChar, 0) the binary comparison starts from 1st characters and returns 9.
MyPos = Instr (SearchString, SearchChar) returns 9.
The default value is binary comparison (the last parameter is omitted ).
MyPos = Instr (1, SearchString, "W") returns 0 after the binary comparison starts from 1st characters ("W" is not found ").

Note that the InStrB function uses byte data contained in the string. Therefore, the returned value of InStrB is not the first occurrence of a character string in another string, but the byte position.

To sum up, the instr function is to return the position of the character or string that appears for the first time in another string. Well, let's look at the Code:

If instr (Request ("id"), "")> 0 or instr (Request ("id"), "")> 0 then

Meaning: Compares the specific position of the comparison character (Space) and character () in the request ("id") (for Binary comparison). If the (Space) and (') characters are found, the statement after then!

Now everyone understands this meaning!

When I look at the first glance, I will say, in the case of asp? Id = 90 + characters (; or,) and so on, isn't it a sample error? (Yes, yes :)

It may be said that I will go to if instr (Request ("id"), "")> 0 or instr (Request ("id"), "")> add some characters in the 0 then statement, for example, if instr (Request ("id"), "")> 0 or instr (Request ("id"), "")> 0 or instr (Request ("id"), ";")> 0 or instr (Request ("id"), ",")> 0 then
Wait, you can add it to the back! (That's good! But it is bad :)
Yes. After adding this, we can really beat some so-called Hacker's hands!

Actually, it's not necessary. Do you forget the instr (Request ("id"), "")> 0 sentence? It's still compared with (Space! As long as there is such a sentence, those so-called hackers, and 1 = 1 won't be useless?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.