SQL injection attacks are caused by imperfections in our program statements. Let's take a look at how to use the instr function in asp to effectively prevent SQL injection attacks. The specific thing should be like this.
If instr(Request(id), )>0 or instr(Request(id),')>0 then response.redirect index.htm
Of course, you can also write what you want after then!
Let us first learn the instr function:
grammar
InStr([start, ]string1, string2[, compare])
The syntax of the InStr function has the following parameters:
Parameter description
start is optional. Numeric expression that sets the starting position for each search. If omitted, the search will start at the first character position. If start contains Null, an error occurs. If compare is specified, the start parameter is required.
String1 is required. Accepts a string expression to search for.
String2
Required. The string expression to search for.
Compare is optional. A numeric value indicating the type of comparison used when evaluating substrings. See the Settings section for numerical values. If omitted, a binary comparison will be performed.
The compare parameter can have the following values:
Constant value description
vbBinaryCompare 0 Performs a binary comparison.
vbTextCompare 1 Performs text comparison.
[return value]
The InStr function returns the following values:
If InStr returns
string1 is zero length 0
string1 is Null Null
string2 is zero length start
string2 is Null Null
string2 not found 0
Find string2 in string1 Find the position of the matching string
start > Len(string2) 0
The following example utilizes the InStr search string:
Dim SearchString, SearchChar, MyPos
SearchString =XXpXXpXXPXXP ' The string to search for.
SearchChar = P ' Search for P.
MyPos = Instr(4, SearchString, SearchChar, 1) 'Text comparison returns 6 starting from the fourth character.
MyPos = Instr(1, SearchString, SearchChar, 0) 'Binary comparison returns 9 starting from the 1st character.
MyPos = Instr(SearchString, SearchChar) ' Return 9.
' Defaults to binary comparison (last argument omitted).
MyPos = Instr(1, SearchString, W) 'Binary comparison returns 0 starting from character 1 (W not found).
Note that the InStrB function uses the byte data contained in the string, so InStrB returns not the character position of the first occurrence of one string in another string, but the byte position.
Summary: The function of instr is: Return the position of the first occurrence of a character or string in another string. Well, let us look at which code:
if instr(Request(id), )>0 or instr(Request(id),')>0 then
Meaning: Compare the specific positions of characters (space) and characters (') in request (id) (binary comparison). If (space) and (') characters are found, then it is the statement after then!
Now everyone understands the meaning!
When I saw it for the first time, I said, what if it's in asp? Isn't it a mistake to make a mistake when adding characters (; or,) and other characters to Id=90? (Yes, the answer is yes:)
Maybe someone else said, then I will add some characters in the if instr(Request(id), )>0 or instr(Request(id),')>0 then statement, for example, change it to: if instr(Request(id ), )>0 or instr(Request(id),')>0 or instr(Request(id),;)>0 or instr(Request(id),, )>0 then
Wait, you can add it later, haha! (This is good! But it’s worse:)
Yes, after adding this, it can indeed defeat some so-called hackers!
In fact, it’s not necessary. Have you forgotten the sentence instr(Request(id), )>0? He even compared it with (space)! As long as there is this sentence, wouldn't it be useless for those so-called hackers to say, and 1 = 1?