Write a generic ASP anti-SQL injection attack program

SQL injection was played by the novice-level so-called hacker masters, found that most of the hackers are now based on SQL injection implementation, hey, who makes this easy to get started, okay, don't talk nonsense, now I start to say if you write generic SQL anti-injection programs general HTTP requests are nothing more than get and Post, so as long as we filter all the parameters in the post or GET request in the file to the illegal characters, so we implement HTTP request information filtering can be judged by the SQL injection attack.

The GET request that IIS passes to Asp.dll is in the form of a string, and when passed to the Request.QueryString data, the ASP parser parses the Request.QueryString information, and then according to "&", Separate the data in each array so that get is intercepted as follows:

First we define that the request cannot contain the following characters:

'|and|exec|insert|select|delete|update|count|*|% |chr|mid|master|truncate|char|declare

Individual characters with "|" Separated, and then we judged the request.querystring to get the specific code as follows:

dim sql_injdata
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|% |chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString＜＞"" Then
　For Each SQL_Get In Request.QueryString
　　For SQL_Data=0 To Ubound(SQL_inj)
　　　if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))＞0 Then
　　　　Response.Write "＜Script Language=****＞alert('天下电影联 盟SQL通用防注入系统提示↓nn请不要在参数中包含非法字符尝试注 入！');history.back(-1)＜/Script＞"
　　　　Response.end
　　　end if
　　next
　Next
End If

This enables us to intercept the injection of GET requests, but we also need to filter the POST request, so we have to continue to consider Request.Form, which is also in the form of an array, and we just need to go through the loop again. The code is as follows:

If Request.Form＜＞"" Then
　For Each Sql_Post In Request.Form
　　For SQL_Data=0 To Ubound(SQL_inj)
　　　if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))＞0 Then
　　　　Response.Write "＜Script Language=****＞alert('天下电影联 盟SQL通用防注入系统提示↓nn请不要在参数中包含非法字符尝试注入！ nnHTTP://www.521movie.com ');history.back(-1)＜/Script＞"
　　　　Response.end
　　　end if
　　next
　next
end if

All right, we've implemented the GET and POST request information interception, and you just need to refer to this page before opening the database file like conn.asp. Rest assured that you continue to develop your program, regardless of whether you will be subjected to SQL injection attacks. Isn't it?