Procedures | anti-injection | anti-injection SQL injection is a taste of the novice-level so-called hacker masters, and finds that most hackers are now implemented based on SQL injection.
And, hey, who makes this easy to get started, well, don't talk nonsense anymore, and now I'm starting to say if you write a generic SQL anti-injection program
The general HTTP request is nothing more than get and post, so as long as we filter the parameter information in all post or get requests in the file
Illegal characters can be, so we implement HTTP request information filtering can be judged by the SQL injection attack.
The GET request that IIS passes to Asp.dll is in the form of a string, which, when passed to the Request.QueryString data,
The ASP parser analyzes the Request.QueryString information, and then, according to "&", divides the data within each array
So the intercept of get is as follows
First we define that the request cannot contain the following characters
' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare
Individual characters with "|" Separated, and then we judged to get the Request.QueryString
The specific code is as follows
Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring<> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows
If request.form<> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! Nnhttp://www.521movie.com '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
Well done, we have implemented the GET and POST request information interception, you only need to open the database file such as conn.asp before the page can be referenced. Rest assured that you continue to develop your program, regardless of whether the SQL injection will be attacked. Isn't it?
