Developing ASP websites with Dreamweaver is simple and easy to use. Novices can compile a dynamic website that looks perfect in a short time. In terms of functions, novices can also do what veterans can do. So is there no difference between novices and veterans? The difference here is huge, but it is difficult for a layman to see it at a glance. The friendliness of the interface, operating performance and website security are the three main points that distinguish novices from experienced users.
In terms of security, the most easily overlooked issue by novices is SQL injection vulnerabilities. Using NBSI 2.0 to scan some ASP websites on the Internet, you can find that many ASP websites have SQL injection vulnerabilities.
The so-called SQL injection is to take advantage of design loopholes such as programmers' lax or non-detection of the legality of user input data, deliberately submit special code (SQL commands) from the client, and collect program and server information. , an attack to obtain desired information.
It can be seen that the main reason why Sql injection attacks succeed is that the data entered by the user is not verified, and Sql commands can be dynamically generated from the client.
General http requests are nothing more than get and post, so as long as we filter illegal characters in the parameter information of all post or get requests in the program, we can prevent SQL injection attacks.
Unfortunately, DW does not provide relevant code, so if you want to prevent SQL injection attacks, you need to modify it manually.
Just save the following program as SQLinjection.asp, and then call it in the header of the page that needs to prevent injection
<!--#Include File=SQLinjection.asp-->
This will prevent injection on the page.
If you want to prevent the entire site from being noted, add a header call to the database connection file in the Connections directory generated by DW or directly add the following program code. It should be noted that when adding to the database connection file, you may add articles in the background form. When waiting for content, if a SQL statement is encountered, the system will mistake it for a SQL attack and prompt an error.
The general program code (quoted from the Internet with appropriate changes) is as follows:
<%
'--------Definition part------------------
dim sql_injdata
SQL_injdata = '|and|exec|insert|select|delete
|update|count|*|%|chr|mid|master|truncate|char
|declare|1=1|1=2|;
SQL_inj = split(SQL_Injdata,|
'--------POST part------------------
If Request.QueryString<> Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),
Sql_Inj(Sql_DATA))>0 Then
Response.Write <Script Language=JavaScript>
alert('The system prompts you!/n/nPlease do not include illegal characters in the parameters and try to inject!/n/n');window.location=&'&index.htm&'&;</Script>
Response.end
end if
next
Next
End If
'--------GET part------------------
If Request.Form<> Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write <Script Language=JavaScript>
alert('The system prompts you!/n/nPlease do not include illegal characters in the parameters and try to inject!/n/n');window.location=&'&index.htm&'&;</Script>
Response.end
end if
next
next
end if
%>
Through the above program, you can resist dangerous SQL injection characters submitted from the Get method or Post method, and warn the intruder and then redirect to index.htm (home page).