Here we will introduce another way to prevent SQL injection attack in ASP, this method is not only applicable in ASP, in fact, in any language that uses ADO object model to interact with database, it may be more appropriate to say that the method of anti SQL
Recently took over someone else a project, found that there is a SQL injection vulnerability, because do not want to change too much code, so that parameter method of anti-injection I don't need it. Can only use the traditional stupid point of the way.
1, new Global.asax file.
2. Add the following code:
void Application_BeginRequest (object sender, EventArgs e)
The function used to prevent SQL injection attacks can be used directly, but we will not use it, but we need to enhance our safety awareness.
Copy Code code as follows:
'==========================
' Filter the SQL in the submission form
'==========================
function Forsqlform ()
Dim fqys,errc,i,items
Dim Nothis (18)
Nothis (0) = "NET use
Recently, the author of the station suffered to SQL intrusion, so the Internet search some related methods to prevent SQL injection.
A lot of versions, some people think that this section is good, some people think that the paragraph just, so the comprehensive collation, including the following:
The following are the referenced contents:Dim Fy_url,fy_
Here are 4 functions that are enough to withstand all SQL injection vulnerabilities! Read the code and you can digest it.
Be careful to filter all Request objects: including Request.cookie, request. ServerVariables and so on are easily overlooked objects:
Copy Code code as follows:
Function Killn (ByVal s1) ' filter numeric parameter
if not IsNumeric (S1) then
killn= 0
Else
"Response.Write " "Case "2"Response.Write ""Case "3"Response.Write " "End SelectResponse.EndEnd IfNEXTNEXTEnd If The above is a different version. Dim Getflag Rem (Submission method)Dim errorsql Rem (illegal character)Dim Requestkey Rem (submit data)Dim fori Rem (Loop Mark)Errorsql = "' ~;~and~ (~) ~exec~update~count~*~%~chr~mid~master~truncate~char~declare" Rem (use half-width "~" to open each sensitive character or word)Errorsql = Split (Errorsql, "~")If Request.ServerVariables ("request_metho
ASP SQL Super Anti-injection code
Dim s_badstr, N, IS_badstr = "' n = Len (S_BADSTR)Safe = TrueFor i = 1 to nIf Instr (str, Mid (S_BADSTR, I, 1)) > 0 ThenSafe = FalseExit FunctionEnd IfNextEnd Function' The following code directly determines whether the URL in which the request occurred contains illegal charactersOn Error Resume NextDim strtemp
If LCase (Reques
Case "1″ Response.Write "Alert (' argument error! The value of parameter ' name ' contains an illegal string! Please do not appear in the parameter: and update delete; Insert an illegal character such as Mid master! '); Window.close (); " Case "2″ Response.Write "location.href=" Err_Web "'" Case "3″ Response.Write "Alert (' argument error! The value of parameter ' name ' contains an illegal string! Please do not appear in the parameter: and update delete; Insert an illegal character such as Mid
, post, client-agent, Cookie, server enviroment...2. Why can an attacker inject the statement it wants "? Because server applications are pieced together (pay special attention to this term) with SQL statements, attackers may have the opportunity to include SQL keywords or operators in the submitted data, to construct the statements they want.3. What is the final result of
What is SQL injection?
My understanding of SQL injection is that some people can input through malicious parameters, let the background to execute this SQL, and then to get data or destroy the purpose of the database!For a simple query example, background
Squery=lcase (Request.ServerVariables ("query_string"))Surl=lcase (Request.ServerVariables ("Http_host"))Sql_injdata = ": |;|>|Sql_inj = Split (Sql_injdata, "|")For Sql_data=0 to Ubound (Sql_inj)If InStr (Squerysurl,sql_inj (Sql_data)) >0 ThenResponse.Write "Your actions may be SQL injection behavior. "Response.EndEnd IfNext%>
I think there is also a way to prevent SQL
,post,client-agent,cookie,server enviroment ...
2. Why can an attacker "inject" the statement it wants?
Because the server-side application uses a patchwork of SQL statements (please pay special attention to the word), it gives the attacker the opportunity to include SQL keywords or operators in the submitted data to construct the statements they want.
3.SQL
controlled by the entire computer in several ways, thus completing the entire injection process, otherwise, continue:
1. Web virtual directory discovered
2. upload an ASP Trojan Horse;
3. Get administrator permissions
Procedure:
I. Determination of SQL Injection Vulnerabilities
If you have never used
, today's SQL injection attackers are smarter and more comprehensive about how to find vulnerable sites. Some new methods of SQL attack have emerged. Hackers can use a variety of tools to speed up the exploit process. Let's take a look at the Asprox Trojan, which is mainly spread through a spam-sending zombie network, and its entire work can be described as follo
SQL Injection Analysis (manual injection detection) and manual injection script command excellent EditionThe intrusion process includes the following steps: 1. test whether the ASP system has an injection vulnerability; 2. Obtain
technology is very simple, from the simple development method and the study cost of personnel considerations, we all know the technical way, can overcome the development process of team personnel replacement (turnover, new)The choice of technology is the essence of the pandemic architecture, do not use a very large underlying framework, training and learning costs are very high, from learning to development needs a long process, which is what bosses do not want to seeIt also takes into account
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.