The function is very simple, mainly for processing data for both strings and numbers, specific usage:
Character type strusename = checkinput (Request ("UserName"), "S") number type ID = CheckInput (Request ("ID"), "I")
Below is a function
Function CheckInput (STRTYPE) 'function function: Filter single quotes in character parameters, judgment for numeric parameters, if not numeric type, assign value 0' parameter meaning: STR ---- To filter the parameter 'StrtYPE - - Parameter type, divided into character type and digital, character type "S", digital type "I" DIM stratmp startmp = "" if straps (TRIM (TRIM (TRIM (TRIM (str), "' "," '' ") Elseif Strtype =" I "Then IF ISNUMERIC (STR) = false the Str =" 0 "stramp = str else stramp = str negheckinput = start fire
The harm of SQL INJECTION is very large, such as SQL Server, you can create, delete databases, execute system commands, etc. Filtering these keywords that may cause hazards, such as DROP, semicolons, AND, EXE, MID, etc., Row list a lot.
In fact, don't have to be so cumbersome, it is necessary to complicate simple things. For filtering, as long as the character type and digital type are handled separately,
Character type, convert single quotation marks into two single quotes stramp = replace (TRIM (STR), "'") digital type, determining if it can be converted into digital type, with isNumeric functions
Now I am able to bypass the attack of single quotes, in fact, for digital types, if you filter the characters of single quotes, there is also a way to get around, then you haven't played ........
