program | Attack SQL injection by those rookie level of so-called hacker Master play out the taste, found that most of the hacking is based on SQL injection implementation, hey, who let this easy to get started, well, don't talk nonsense, Now I'm starting to say that if you write a generic SQL anti-injection program, the general HTTP request is nothing more than get and post, so as long as we filter all the illegal characters in the parameter information in the post or GET request in the file, we implement the HTTP Request information filtering to determine whether a SQL injection attack is being used.
The GET request that IIS passes to Asp.dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", Separate the data in each array so that get is intercepted as follows:
First we define that the request cannot contain the following characters:
' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare
Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:
Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring <> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:
If request.form <> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.Form (Sql_post), Sql_inj (sql_data)) >0 Then
Response.Write "<script Language=****>alert" (' World Film Federation SQL Universal Anti-injection system hint ↓NN Please do not include illegal characters in parameters try to inject! Nnhttp://www.521movie.com '); History.back ( -1) </Script> "
Response.End
End If
Next
Next
End If
All right, we've implemented the GET and POST request information interception, and you just need to refer to this page before opening the database file like conn.asp. Rest assured that you continue to develop your program, regardless of whether you will be subjected to SQL injection attacks. Isn't it?
