Website protection against SQL Injection

Last Update:2018-12-05 Source: Internet

Author: User

Tags servervariables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

First:
Squery = lcase (request. servervariables ("QUERY_STRING "))
Surl = lcase (request. servervariables ("http_host "))

SQL _injdata = ": |; | >|||-- | SP _ | XP _ |/| dir | cmd | ^ | (|) | + | $ | '| copy | format | and | exec | insert | select | Delete | update | count | * | % | CHR | mid | master | truncate | char | declare"

SQL _inj = Split (SQL _injdata, "| ")

For SQL _data = 0 to ubound (SQL _inj)
If instr (squery & Surl, SQL _inj (SQL _data)> 0 then
Response. Write "SQL universal anti-injection system"
Response. End
End if
Next

Second:
SQL _injdata = ": |; | >|||-- | SP _ | XP _ |/| dir | cmd | ^ | (|) | + | $ | '| copy | format | and | exec | insert | select | Delete | update | count | * | % | CHR | mid | master | truncate | char | declare"

SQL _inj = Split (SQL _injdata, "| ")

If request. querystring <> "then
For each SQL _get in request. querystring
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "SQL universal anti-injection system"
Response. end
End if
Next
Next
End If

If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "SQL universal anti-injection system"
Response. end
End if
Next
Next
End if

Third
<%
'-------- Definition section ------------------
Dim Str_Post, Str_Get, Str_In, Str_Inf, Str_Xh, Str_db, Str_dbstr
'Customize the string to be filtered, separated by "■"
Str_In = "'■; ■ and ■ exec ■ insert ■ select ■ delete ■ update ■ count ■ * ■ % ■ chr ■ mid ■ master ■ truncate ■ char ■ declare"
'----------------------------------
%>

<%
Str_Inf = split (Str_In, "■ ")
'-------- POST part ------------------
If Request. Form <> "" Then
For Each Str_Post In Request. Form

For Str_Xh = 0 To Ubound (Str_Inf)
If Instr (LCase (Request. Form (Str_Post), Str_Inf (Str_Xh) <> 0 Then
'-------- Write to database ---------- header -----
Str_dbstr = "DBQ =" + server. mappath ("SqlIn. mdb") + "; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"
Set Str_db = Server. CreateObject ("ADODB. CONNECTION ")
Str_db.open Str_dbstr
Str_db.execute ("insert into sqlin (sqlin_ip, sqlin_web, sqlin_fs, sqlin_cs, sqlin_sj) values ('" & request. servervariables ("remote_addr") & "','" & request. servervariables ("url") & "', 'post','" & str_post & "','" & replace (request. form (str_post ),"'","''")&"')")
Str_db.close
Set str_db = nothing
'-------- Write to database ---------- end -----
Response. Write "<script language = JavaScript> alert ('Please do not include invalid characters in the parameter to try to inject! '); </SCRIPT>"
Response. Write "illegal operation! The system has made the following records: <br>"
Response. Write "Operation IP:" & request. servervariables ("remote_addr") & "<br>"
Response. Write "operation time:" & now & "<br>"
Response. Write "Operation page:" & request. servervariables ("url") & "<br>"
Response. Write "submission method: Post <br>"
Response. Write "Submit parameters:" & str_post & "<br>"
Response. Write "submit data:" & request. Form (str_post)
Response. End
End if
Next

Next
End if
'----------------------------------

'-------- Get part -------------------
If request. querystring <> "then
For each str_get in request. querystring

For str_xh = 0 to ubound (str_inf)
If instr (lcase (request. querystring (str_get), str_inf (str_xh) <> 0 then
'-------- Write to database ---------- header -----
Str_dbstr = "DBQ =" + server. mappath ("sqlin. mdb") + "; defaultdir =; driver = {Microsoft Access Driver (*. mdb )};"
Set str_db = server. Createobject ("ADODB. Connection ")
Str_db.open str_dbstr
Str_db.execute ("insert into sqlin (sqlin_ip, sqlin_web, sqlin_fs, sqlin_cs, sqlin_sj) values ('" & request. servervariables ("remote_addr") & "','" & request. servervariables ("url") & "', 'get','" & str_get & "','" & replace (request. querystring (str_get ),"'","''")&"')")
Str_db.close
Set str_db = nothing
'-------- Write to database ---------- end -----

Response. Write "<script language = JavaScript> alert ('Please do not include invalid characters in the parameter to try to inject !); </SCRIPT>"
Response. Write "illegal operation! The system has made the following records: <br>"
Response. Write "Operation IP:" & request. servervariables ("remote_addr") & "<br>"
Response. Write "operation time:" & now & "<br>"
Response. Write "Operation page:" & request. servervariables ("url") & "<br>"
Response. Write "submission method: Get <br>"
Response. Write "Submit parameters:" & str_get & "<br>"
Response. Write "submit data:" & request. querystring (str_get)
Response. End
End if
Next
Next
End if
%>
3rd the method requires you to create a database table by yourself

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More