SQL injection attacks refer to exploiting design vulnerabilities to run Sql commands on the target server and perform other attacks to dynamically generate Sql commands without verifying the data entered by the user. This is the main reason why Sql injection attacks succeed.
for example:
If your query statement is select * from admin where username=''"&user&"'' and password=''"&pwd&"''"
So, if my username is: 1'' or ''1''=''1
Then, your query statement will become:
select * from admin where username=''1 or ''1''=''1'' and password=''"&pwd&"''"
In this way, your query statement will pass, and you can enter your management interface.
Therefore, user input needs to be checked when taking precautions. Convert or filter some special characters, such as single quotes, double quotes, semicolons, commas, colons, connection numbers, etc.
The special characters and strings that need to be filtered are:
net user
xp_cmdshell
/add
exec master.dbo.xp_cmdshell
net localgroup administrators
select
count
Asc
char
mid
''
:
"
insert
delete from
drop table
update
truncate
from
%
The following are two prevention codes I wrote about solving injection attacks for your reference!
js version of code to prevent SQL injection attacks:
<script language="****">
<!--
var url = location.search;
var re=/^?(.*)(select%20|insert%20|delete%20from%20|count(|drop%20table|update%20truncate%20|asc(|mid(|char (|xp_cmdshell|exec%20master|net%20localgroup%20administrators|"|../../image/bbs3000/whatchutalkingabout_smile.gifnet%20user|''|%20or%20)(.*)$/gi;
var e = re.test(url);
if(e) {
alert("The address contains illegal characters~");
location.href="error.asp";
}
//-->
<script>
[CODE END]
ASP version of the code to prevent SQL injection attacks~:
[CODE START]
<%
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & Request.ServerVariables("SERVER_NAME")
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = LCase(strTemp)
If Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp, "delete%20from") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,":") or Instr(strTemp,"net%20user") or Instr(strTemp,"''") or Instr(strTemp,"%20or %20") then
Response.Write "<script language=''****''>"
Response.Write "alert(''Illegal address!!'');"
Response.Write "location.href=''error.asp'';"
Response.Write "<script>"
End If
%>
The following are relatively simple prevention methods. These are methods that everyone is familiar with. I just reposted them. Hope I can give you some help~
Mainly for numeric variable transfer:
id = Request.QueryString("id")
If Not(isNumeric(id)) Then
Response.Write "Illegal address~"
Response.End
End If