Write a general asp anti-injection program

Write a general asp anti-injection program to select the Blog from ph4studio

Write a common asp anti-injection program for keywords

Source

SQL injection was played with by those so-called hackers at the novices level. I found that most hacker intrusions are now based on SQL injection.

, Alas, who made this easy to get started? OK, I won’t talk nonsense anymore, now I’m starting to say if I write a general SQL anti-injection program

General http requests are nothing more than get and post, so as long as we filter all post or get request parameter information in the file

Illegal characters are enough, so we can use http request information filter to determine whether it is subject to SQL injection attack.

iis passed to asp.dll is in the form of a string, when passed to Request.QueryString data,

Asp parser will analyze the information of Request.QueryString, and then divide the data in each array according to "&"

So get intercepted as follows

First, we define that the request cannot contain the following characters

'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare

Each character is separated by "|", and then we judge the Request.QueryString

The specific code is as follows

dimsql_injdata

SQL_injdata="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"

SQL_inj=split(SQL_Injdata,"|")

IfRequest.QueryString<>""Then

ForEachSQL_GetInRequest.QueryString

ForSQL_Data=0ToUbound(SQL_inj)

ifinstr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0Then

Response.Write"<ScriptLanguage=****>alert('Tianxia Movie Alliance SQL Universal Anti-Injection System prompts ↓nnPlease do not include illegal characters in the parameters and try to inject!');history.back(-1)</Script>"

Response.end

endif

next

Next

EndIf

In this way, we implement the interception of the injection of the get request, but we also have to filter the post request, so we have to continue to consider request.form, which also exists in the form of an array, we only need to go into the loop to make judgments again. The code is as follows

IfRequest.Form<>""Then

ForEachSql_PostInRequest.Form

ForSQL_Data=0ToUbound(SQL_inj)

ifinstr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0Then

Response.Write"<ScriptLanguage=****>alert('Tianxia Movie Alliance SQL Universal Anti-Injection System prompts ↓nnPlease do not include illegal characters in the parameters and try to inject!nnHTTP://www.521movie.com');history.back(-1)</Script>"

Response.end

endif

next

next

endif

OK, the job is done, we have implemented information interception of get and post requests. You only need to reference this page before opening the database file such as conn.asp. Keep developing your program with confidence, no need to consider whether it will still be attacked by SQL injection. Isn't it?