Interpreting the universal anti-SQL injection attack code in ASP programs

Author：Eve Cole Update Time：2025-05-20 19:16:01

Recommended: Use red to display the recording keywords obtained when querying data of ASP
%response.write replace(rs(field X),searchname,font color=#FF0000 searchname /font) % Description: rs is the record set object, and searchname is the search keyword reprinted from HTMer[http://www.htmer.com/]

SQL injection general http requests are nothing more than get and post, so as long as we filter illegal characters in the parameter information of all post or get requests in the file, we can prevent SQL injection attacks.

The get request passed to asp.dll by IIS is in the form of a string. After passing it to Request.QueryString data, the asp parser will analyze the information of Request.QueryString, and then divide the data in each array according to &. The following lists the codes for get intercept and post intercept: '======= get intercept =======

dim sql_injdata

SQL_inj = split(SQL_Injdata,|)

If Request.QueryString<> Then

For Each SQL_Get In Request.QueryString

For SQL_Data=0 To Ubound(SQL_inj)

if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then

Response.Write <Script Language='javascript'>alert('HTMer.com system prompts ↓nnPlease do not include illegal characters in the parameters and try to inject!nnHTTP://www.htmer.com');history.back(-1)</Script>

Response.end

end if

end If'====== post interception ======

If Request.Form<> Then

For Each Sql_Post In Request.Form

For SQL_Data=0 To Ubound(SQL_inj)

if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then

Response.end

end if

OK, we have implemented information interception of get and post requests. You only need to reference this page before opening the database file such as conn.asp.