The function is very simple, mainly for processing data for both strings and numbers, specific usage:
Character type
StruserName = CheckInput (Request ("UserName"), "S")
Digital type
ID = CheckInput (Request ("ID"), "I")
Below is a function
Function Checkinput (Str, STRTYPE)
'Function function: Filter single quotes in character parameters, judgment for numeric parameters, if not numeric type, assign 0
'Parameter Significance: STR ---- The parameters to filter
'Startpe ---- Parameter type, divided into characters and digital type, character type "S", digital type "I"
DIM STRTMP
Strtmp = "" "
If straType = "s" THEN
StrtMP = Replace (Trim (Str), "'", "'")
Elseif Strtype = "i" THEN
IF isnumeric (str) = false the Str = "0"
Strtmp = STR
Else
Strtmp = STR
END IF
Checkinput = startmp
END FUNCTION
It is best to filter out ":"
Recommended with CHR ()
SQL Injection prevention issues on ASP seems to have nothing to say. Inside the project I made,
Both use your own function to handle the data submitted in the client, and I have passed this function in my blog.
Specific can be referred to http://blog.9cbs.net/cqq/archive/2004/09/23/113786.aspx
However, from a friend's message and some of the other online doctors to prevent the function of SQL INJECTION, many people have walked into a misunderstanding.
The harm of SQL Injection is very large, such as SQL Server, you can create, delete databases, execute system commands, etc., such as Drop Table TBL_NAME, Execute Master.dbo.xp_cmdshell "Command"
So many people write the function is desperate to filter these keywords that may cause hazards, such as DROP, semicolons, and, exe, mid, etc., Russen a lot.
In fact, don't have to be so cumbersome, it is necessary to complicate simple things.
For filtering, as long as the character type and digital type are handled separately,
Character type, convert single quotation marks into two single quotes stramp = replace (TRIM (STR), "'") digital type, determining if it can be converted into digital type, with isNumeric functions
Now I can bypass the attack of single quotes, in fact, if the character type of the digital type, there is also a way to bypass, then I have to play ........
