Author: NB Union - Kotake ps: old things, no other meaning. I miss the 54NB of the network security business! SQL injection is increasingly used to invade websites, and some web programmers have also begun to pay attention to this knowledge, but because of the transition of the invasion, some characters are missing, causing security vulnerabilities; or The grass is all soldiers, and some legal users are refused to do. Imagine that when the user wants to enter I'm A Boy, I will give you a stinky meal. Does he will you want to go to your website? Below, I introduced the defense method of SQL injection from the program. First, I first see the three simplest SQL statement 1.sql = "select * from users where userid =" & requirements) 2. SQL = "SELECT * From users where userid = '"") & "'" 3. SQL = "SELECT * from users where username limited" & requirements "&"% '"first sentence, parameter It is a digital type, this is very obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern . For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed. For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program. Below is two functions, you can call directly to COPY.
'-------------------------------------------------------------------------------------------------------------------------- -------------- 'NB Alliance Anti-Infused Functions Reqnum / Reqstr' -------------------------- ------------------------------------ Function Reqnum (Strname) Reqnum = request (strname) if not NOT IsNumeric (Reqnum) The response.write "parameter must be digital!" Response.end end if end function function reqstr (strname) ReqStr = Replace (Strname), "'", "'") End Function Three SQL statements, explain the call method: 1.SQL = "SELECT * from users where userid =" & required ("id") 2. SQL = "SELECT * from users where userid = '" & Reqs " ) & "'" 3. SQL = "SELECT * from users where username like'%" & ReqS ("Name") & "% '" reaffirmed: The above method No matter whether the SQL Server library is still Access or other databases, It is absolutely suitable, absolutely safe, but note that SQL Server stored procedures is an exception, in which case the single quotation number is replaced with four single quotes to protect security. In addition, the NB Alliance-Pants has written an article with SQL Server security settings. When there is a vulnerability, the article can make the invader or as little privileges and data, the article has been published in www.54nb.com If you are interested, you can see TRACKBACK: http://tb.blog.9cbs.net/trackback.aspx?postid=483984
