Write a generic ASP anti-SQL injection attack program

Source: Internet
Author: User
Tags filter chr continue http request include insert sql injection sql injection attack
program | Attack SQL injection by those rookie level of so-called hacker Master play out the taste, found that most of the hacking is based on SQL injection implementation, hey, who let this easy to get started, well, don't talk nonsense, Now I'm starting to say that if you write a generic SQL anti-injection program, the general HTTP request is nothing more than get and post, so as long as we filter all the illegal characters in the parameter information in the post or GET request in the file, we implement the HTTP Request information filtering to determine whether a SQL injection attack is being used.

The GET request that IIS passes to Asp.dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", Separate the data in each array so that get is intercepted as follows:

First we define that the request cannot contain the following characters:

' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare
Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:

Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring <> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:

If request.form <> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! Nnhttp://www.521movie.com '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
All right, we've implemented the GET and POST request information interception, and you just need to refer to this page before opening the database file like conn.asp. Rest assured that you continue to develop your program, regardless of whether you will be subjected to SQL injection attacks. Isn't it?



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.