Prevent SQL injection vulnerability functions.
Just represent my point of view. I am not afraid of laughing. If you have a problem, please advise! I think if you are a cattle, then this is not worthy of your content, just think it is a bit more practical for the ASP programmer who has just started. So I am not afraid of being joke, I wrote it here!
---- <% Function CHECKSTR (STR)
IF Isnull (STR) THEN
Checkstr = ""
EXIT FUNCTION
END IF
Checkstr = Replace (STR, "," ")
Checkstr = Replace (STR, "'", "'")
Checkstr = Replace (Str, ";", "'")
Checkstr = Replace (STR, "-", "'")
Checkstr = Replace (STR, "(", "'")
Checkstr = Replace (Str, "[", "'")
Checkstr = Replace (STR, "$", "'")
END FUNCTION
%>
Related Functions Left (String, Length) Returns the specified number of characters ASC (String) returns to the ANSI character code corresponding to the first letter of the string. MID (String, Start [, Length]) Returns the specified number of characters from the string. ********************************* My own practice is to qualify the string in 8 characters, Ah! (10 million data, no one has such a big record? 99, 999, 999! Not enough, weird! Unless your data never update, there is no way, the problem is that SQL is like this time. How is the speed)
--- <% IF LEN (Request.QueryString ("DDD"))> 8 TenResponse.write (Black, don't. Less) Response.end 'It is best to have this sentence.
'' 'Preliminary is to determine whether it is a number ======= isNumeric function if isnumeric (Request.QueryString ("DDD")) THEN
Execute ("SELECT * from" ")
....
Else
Response.write (Black I, don't. Less) Response.end 'It is best to have this sentence.
%>
Of course, add the above function, in your SQL process, the effect is very perfect!
Ah! ! ! Make a function in the metamorphosis.
--- <% Function CHECKSTR (STR)
IF Isnull (STR) THEN
Checkstr = ""
EXIT FUNCTION
END IF
Checkstr = Replace (STR, "," ")
Checkstr = Replace (STR, "'", "'")
Checkstr = Replace (Str, ";", "'")
Checkstr = Replace (STR, "-", "'")
Checkstr = Replace (Str, "(", "') Checkstr = Replace (STR," [","' ")
Checkstr = Replace (STR, "$", "'")
Checkstr = Replace (STR, "ASC '," ")
Checkstr = Replace (STR, "MID", "")
Checkstr = Replace (STR, "Delete", "")
Checkstr = Replace (STR, "DROP", "")
'''Ah! ! I am not blocked here. SELECT, COUNT, ha! I think of me, I am too metamorphosis, then it is not that I don't have to be more safer! ! ! Ah! ! ~ ^) ^ ~ End function
%>
Enough, this function is loaded into the place where SQL selection record set. Such as: rsql = "Select * from table where xxx =" & checkstr ("xxyy") & "" or to determine the string
It is a bit Lin, but it is these, for ordinary "hackers" enough for some time. But for the true meaningful hackers, these are not all things, people are black, how can you? Hey there! !
After reading some information, combined with your own experience, written here. If you review it, you can exchange it together! QQ: 22979784 (Please explain the address of this article, afraid! Forgive me!)
In addition, for SQL injection vulnerabilities, it is just more than ASP! Other I am not too clear, so I still need to remind all friends who engage in ASP, please see more, Microsoft's latest [Windows script technology] this thing. Http://download.microsoft.com/download/winscript56/install/5.6/w982kme/cn/scd56chs.exe is below!
