ASP. NET prevents SQL InjectionGenerally, modifying files one by one is not only troublesome but also dangerous. Next I will explain how to prevent injection from the entire system.In the following three steps, we believe that the program will be safer and the maintenance of the entire website will become simpler.I. Data Verification
Rem # Long Integer Conversion
Function tonum (S, default)
If isnumeric (s) and S Tonum = clng (s)
Else
Tonum = default
End if
End Function
Rem # SQL statement ConversionFunction tosql (STR)If isnull (STR) Then STR = ""Tosql = Replace (STR ,"''","''''")End Function
Example:Dim SQLDim strwhere, strname, intageStrname = tosql (Request ("user "))Intage = tonum (Request ("Age"), 20)SQL = "select * from [us
Trojan Horse | Upload SQL injection, how to upload a Trojan, has been a headache, I am here to provide an alternative way to upload a trojan. 1, SQL injection, with xp_cmdshell to the server to write a file to write an ASP file. File contents:
One, what is SQL injection-type attack?
An SQL injection attack is a query string that an attacker inserts a SQL command into a Web form's input field or page request, tricking the server into executing a malicious SQL command. I
A further discussion on ASP preventing SQL injection Vulnerability
/**
Author: Ci Qin Qiang
Email:cqq1978@gmail.com
*/
There seems to be nothing left to say about the SQL injection prevention of ASP. In my ASP's project,
are writt
SQL injection was played by the novice-level so-called hacker masters, found that most of the hackers are now based on SQL injection implementation, hey, who makes this easy to get started, okay, don't talk nonsense, now I start to say if you write generic SQL anti-
Asp.net| attack
One, what is SQL injection-type attack?A SQL injection attack is an attacker who inserts a SQL command into the input field of a Web form or a query string for a page request, tricking the server into executing a malicious
Source: Bug. Center. Team
Affected Versions:WoDig 4.1.2
Program introduction:WODIG is a well-designed Chinese DIGG Community open source program. It is the best solution for DIGG community programs in the Windows NT service environment.
Vulnerability Analysis:
In the wodig. asp file:Tags_name = Request ("tags_name") // 13th rows......The Get_MainContent process is in the file/WoLib/Cls_Class.asp:Public Sub Get_MainPP (pageurl) // row 827th......If tag
program | Attack SQL injection by those rookie level of so-called hacker Master play out the taste, found that most of the hacking is based on SQL injection implementation, hey, who let this easy to get started, well, don't talk nonsense, Now I'm starting to say that if you write a generic
In the results of views. there is a problem with the asp file. If there is an injection, we can see that: hw_id = Request ("hw_id") hw_id does not have any filtering, or request requests, it will be cool at first glance, the old vulnerabilities in the past have not been well solved in the new version, or have not completed the vulnerability follow-up code. Finally, they are in sqlcheck.
I. Definition: the so-called SQL Injection Attack is the process that application developers did not expect to pass SQL code into the application, only applications that directly construct SQL statements using user-supplied values will be affected.
For example, the original SQL
Set the following
Code Copy to the header of each file to prevent SQL injection.
Program Security is the most important :)
Dim fy_url, fy_a, fy_x, fy_cs (), fy_cl, fy_ts, fy_zx'--- Define partial headers ------Fy_cl = 1' Processing Method: 1 = prompt message, 2 = redirect page, 3 = Prompt before redirectFy_zx = "error. asp" 'page to be switched when an erro
Generic anti-SQL Injection code ASP edition
Code
Dim sql_injdata
Sql_injdata = "' |and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_
1. Create a new class to implement the IHttpModule interface code as follows:When implementing the Init method of the interface, we chose the AcquireRequestState event, why not the Begin_request event? This is because we may use the session in the process, and the Begin_request event does not load the session state (about HttpModule can refer to this article).2, processing the data submitted by the website(1), get modeCodeCopy CodeThe code is as follows:URL Submission Data Get method(2), post mo
It is not particularly difficult to prevent the ASP.net application from being hacked into by SQL injection, as long as you filter all the input before using the contents of the form input to construct the SQL command. Filter input can be done in a variety of ways.
⑴ for dynamically constructing SQL queries, you can u
First, the verification method
The code is as follows
Copy Code
///SQL injection filtering///String///to filter returns True if there is an unsafe character for the parameterpublic static bool SqlFilter2 (string intext){String word= "And|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join";if (intext==null)return false;foreach (String i in Word.) Split
Functions used to prevent SQL injection attacks. You can use them directly. However, you may not be able to use them all. Therefore, you need to enhance security awareness.
CopyCode The Code is as follows: '================================
'Filter the SQL statements in the submitted Form
'================================
Function forsqlform ()
Dim fqys, ERRC, I,
Copy the following code to the head of each file to prevent SQL injection, write program security is the most important:
Dim Fy_url,fy_a,fy_x,fy_cs (), FY_CL,FY_TS,FY_ZX
'---define partial head------
FY_CL = 1 ' processing mode: 1 = hint information, 2 = Turn page, 3 = prompt before turning
FY_ZX = "error.asp" The page to turn when error
'---define partial tail------
On Error Resume Next
Fy_url=request.se
Rem # Long Integer Conversion
Function Tonum (s, default)
If IsNumeric (s) and S Tonum = CLng (s)
Else
Tonum = Default
End If
End Function
REM # SQL Statement conversions
Function Tosql (str)
If IsNull (str) Then str = ""
Tosql = replace (str, "'", "" ")
End Function
Example:
Dim SQL
Dim strwhere, StrName, IntAge
StrName = Tosql (Request ("user"))
IntAge = Tonum (Request ("age"), 20)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.