NB-pants [xx]
A few days ago, the attack test of SQL Injection has become more intensified, and many large websites and forums are injectable. These websites are generally used for SQL Server databases, because of this, many people began to suspect SQL Server security. In fact, SQL Server 2000 has passed the US government's C2 safety certification - this is the highest certification level that the industry can have, so use SQL Server is still quite safe. Of course, there is still a gap between orcal, db2, but SQL Server is easy to use and widely becoming the reasons we continue to use. How can I make the SQL Server's setup make people feel relieved?
The first step is definitely the latest security patches on SQL Server, and now the patch has been available to SP3. Download address: http://www.microsoft.com/sql/downloads/2000/sp3.asp. If this is not done, then we have not continued it.
The second step is to modify the default 1433 port and hide SQL Server. This can prohibit response to the broadcast of the existing SQL Server clients attempt to enumerate the network. In addition, you also need to shield the 1433 port in the TCP / IP filter, and hide your SQL Server database as much as possible. So, let the attack created the account of SQL Server, or immediately use the query analyzer to remotely log in to the next attack. If you construct a malicious statement from the ASP, PHP, etc., there is a problem that needs to view the return value, which will not be able to fall by the direct query analyzer. So we must first do it even if others are injected, they can't let the attackers will be smooth. Modification: Enterprise Manager -> Your Database Group -> Properties -> General -> Network Configuration -> TCP / IP -> Properties, modify your default port here, and SQL Server Hidden.
The third step is a very important step, and SQL INJECTION is often generated in web code. As a system administrator or database administrator, you can't always see each code. Even often look at the code, we can't guarantee our negligence above. What should I do? We have to start from the database role to let the database user's permissions to the lowest point. The default rights of SQL Server is really a headache. The permissions are very high. If the permissions are small, sysadmin and db_owner are really love and hate. Attacks one but confirmed that there is a SQL INJECTION vulnerability in the website, and there is certain step by step is how much permissions are to test the SQL Server user of the website. The SQL Server will prompt the error message with SELECT IS_SRVROLEMEMBER ('sysadmin'), or select is_member ('db_owner'), or by user = 0 (let character and digital comparison, SQL Server will prompt the error message, from this information " Some statements such as sensitive information are tested. There is still, I don't dare to say more. It is afraid of the fault, and the people in the alliance are flat. At present, if the website's database user uses SA permissions, add the absolute path you confirmed by the Web, then announce your website over. DB_OWNER privilege, if the absolute path is confirmed, 50% of the opportunity can give your machine in the WEB mode Trojan, such as Haiyang, etc. So we confirm this, we have to create self-propied permissions, let the attacker can't find the lower mouth. Quote an example in the SQL Server online help here:
Create a SQL Server database role (Enterprise Manager) Create a SQL Server Database role 1. Expand the server group and then expand the server. 2. Expand the Database folder and expand the database you want to create. 3. Right-click "Role" and click New Database Role command. 4. Enter the name of the new role in the Name box. 5. Click Add to add a member to the Standard Role list, and then click one or more users you want to add. (Optional) Only the user in the selected database can be added to the role. Object privileges requires permission categories called object privileges when processing data or execution procedures: · SELECT, INSERT, UPDATE, and DELETE statement, they can be applied to the entire table or view. · SELECT and UPDATE statement permissions, they can be selectively applied to a single column in the table or view. · SELECT permissions, they can be applied to user-defined functions. · INSERT and DELETE statement permissions, they affect the trial, so they can only be applied to tables or views without being applied to a single column. · Execute statement permissions, they can affect stored procedures and functions.
Statement Permissions Creating a Database or Database (such as a table or stored procedure) The activities involved in the data requires that the other class is called statement authority. For example, if a user must be able to create a table in a database, the user should grant CREATE TABLE statement permission. Statement privileges (such as CREATE DATABASE) apply to statements themselves without applicable to specific objects defined in the database. Statement permissions are: · Backup Database · Backup Log · Create Database · Create Default · Create Function · Create Procedure · Create Rule · Create Table · CREATE VIEW
Inspiration Permissions Incidence Controls activities that can only be performed by members or database objects that can only be active by predefined system roles. For example, the SYSADMIN Fixed Server Role member is automatically inherited in the SQL Server installation to perform all permissions. The database object owner also has suggestive permissions, and all activities can be performed on the objects you have. For example, users who have a table can view, add, or delete data, change table definitions, or control allows other users to operate on the table.
DB_OWNER has all permissions in the database. DB_ACCESSADMIN can add or delete the user ID. DB_SecurityAdmin can manage all permissions, object ownership, role, and role membership. DB_DDLADMIN can issue ALL DDL but cannot issue a GRANT, REVOKE or DENY statement. DB_BACKUPOPERATOR can issue DBCC, CheckPoint, and Backup statements. DB_DataReader can select all the data in any user table in the database. DB_DATAWRITER can change all the data in any user table in the database. DB_DenyDataReader cannot select any of the data in any user table in the database. DB_DENYDATAWRITER cannot change any of the data in any user table in the database. Configure the newly built database roles here, such as which table, view, stored procedure, etc. need to be used. Then remove DB_OWNER and DB_SECURITYADMIN, DB_BACKUPOPERATOR, do not give attackers Backup Database and Create Table opportunities, one, the attacker has these two permissions, then your website is still in a very dangerous state. Also pay attention to, when you create a database account, you must not choose the server role.
The fourth step is to modify the SQL Server built-in stored procedure. SQL Server estimates are for installation or other aspects, there is a built-in dangerous stored procedure. You can read the registry information, you can write to the registry information, you can read disk sharing information, etc. ... You can see it, you may think, there is other code in my website, not like query analyzer. Can be displayed to output the result. Give you this permission, can't, or you can't see information. If you want to think about it, you have a big mistake. Tip, if the attacker has the permissions of Create Table, create a temporary table, and then the information INSERT is in the table, but SELECT comes out, then compares the number, let SQL Server error, then the result is all out ... So We have to report to the attitude of killing, not letting.
First list dangerous built-in stored procedures:
XP_cmdshellxp_regaddmultiTRINGXP_REGDELETEKEYXP_REGDELETEVALUEXP_REGENUMKEYSXP_REGENUMVALUESXP_REGREADXP_REGREMOVEMULTISTRINGXP_REGWRITE
ActiveX automatic script:
Sp_oacreatesp_oadestroysp_oamethodsp_oagetpropertysp_oasetdPropertySp_OAGETERRORINFOSP_OASTOP
The above is all in our block, such as the XP_cmdshell shielding method: sp_dropeXtendedProc 'xp_cmdshell', if needed, use sp_addextendedProc 'xp_cmdshell', 'xpsql70.dll' recovery. If you don't know which .dll file is used by XP_cmdshell, you can use sp_helpextendedProc XP_cmdshell to see which dynamic link library is used by XP_cmdshell. In addition, after the XP_cmdshell is masked, the step we need to do is to change the XPSQL70.dll file to prevent the SA from recovering it. We do this here, your SQL Server is basically safe. But information is still the same. After all, SELECT we cannot cancel unless your website is HTML. SQL INJECTION prevention requires us to pay attention to it, this is the law of the rules. We then then analyze the security of SQL Server security in advanced settings. This article If there is any wrong leak, please include it. Thank you……
Also recommend, SQL INJECTION test tool NBSI2, which is developed by Comrade Xiaozhu in the Alliance, represents a representative effect on SQL Injection, and the other is the Nbwebshell of the younger brother. These tools can download alliance websites
NB Alliance - Jadesun (Pants) QQ: 280155NB Website: www.54nb.comsql Inject Defense Method - Programmer
Author: NB Union - Kotake
SQL injection is increasingly used to invade websites, and some web programmers have also begun to pay attention to this knowledge, but because of the transition of the invasion, some characters are missing, causing security vulnerabilities; or The grass is all soldiers, and some legal users are refused to do. Imagine that when the user wants to enter I'm A Boy, I will give you a stinky meal. Does he will you want to go to your website? Below, I introduced the defense method of SQL injection from the program. First, I first see the three simplest SQL statement 1.sql = "select * from users where userid =" & requirements) 2. SQL = "SELECT * From users where userid = '"") & "'" 3. SQL = "SELECT * from users where username limited" & requirements "&"% '"first sentence, parameter It is a digital type, this is very obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern . For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed. For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program. Below is two functions, you can call directly to COPY.
'------------------------------------- -------------- 'NB Alliance Anti-Infused Functions Reqnum / Reqstr' -------------------------- ------------------------------------- Function Reqnum (Strname) Reqnum = Request (Strname) if not NOT IsNumeric (Reqnum) The response.write "parameter must be digital!" Response.end end if end function function reqstr (strname) ReqStr = Replace (Strname), "'", "'") End Function Three SQL statements, explain the call method: 1.SQL = "SELECT * from users where userid =" & required ("id") 2. SQL = "SELECT * from users where userid = '" & Reqs " ) & "'" 3. SQL = "SELECT * from users where username like'%" & ReqS ("Name") & "% '" reaffirmed: The above method No matter whether the SQL Server library is still Access or other databases, It is absolutely suitable, absolutely safe, but note that SQL Server stored procedures is an exception, in which case the single quotation number is replaced with four single quotes to protect security. In addition, the NB Alliance - Pants Hand has written an article with SQL Server security settings. When there is a vulnerability, the article can make the invaders or as little privileges and data, and SQL injection has become more and more utilized. Intrusion website, some web programmers have also begun to pay attention to this knowledge, but due to the transition of the invasion method, it is caused to miss some characters when filtered, causing security vulnerabilities; or grass and wood, put some legal user requests Outside the door, I think about it, when the user wants to enter I'm A Boy, I will give you a stinky me, will he will you want to go to your website?
Below, I introduce the defense method of SQL injection from the program, first look at the simplest SQL statement
1.SQL = "SELECT * from users where userid =" & request ("id")
2.SQL = "SELECT * from users where userid = '" & requirements "" ID ") &"' "
3.SQL = "Select * from users where username like '%" & request ("name") & "%'"
The first sentence, the parameter is a digital type, which is obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern . For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed.
For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program.
Below is two functions, you can call directly to COPY.
'------------------------------------- ----------------
'NB Alliance Anti-Infused Function Reqnum / Reqstr
'------------------------------------- ----------------
Function Reqnum (Strname)
Reqnum = Request (Strname)
IF not isnumeric (reqnum) THEN
The response.write "parameter must be digital!"
Response.end
END IF
END FUNCTION
Function ReqStr (Strname)
ReqStr = Replace (Request (Strname), "'", "'")
END FUNCTION
Take the above three SQL statements, explain the call method:
1.SQL = "SELECT * from users where userid =" & repeli ")
2.SQL = "SELECT * from users where userid = '" & ReqSTR ("ID") & "'"
3.SQL = "SELECT * from users where username like '%" & Reqstr ("name") & "%'"
Reaffirming that the above method is absolutely applicable regardless of the SQL Server library or other databases, it is absolutely applicable, absolutely safe, but note that SQL Server stored procedures is an exception. In this case, the single quotation number is replaced with four single quotes. Insurance.
In addition, the NB Alliance - Pants have written an article with SQL Server security settings. When there is a vulnerability, the article can make the invaders or as little privileges and data, and the SQL INJECTION's attack test has become more and more large. Website and forums are injected successively. These websites are generally used for SQL Server databases, because of this, many people began to suspect SQL Server security. In fact, SQL Server 2000 has passed the US government's C2 safety certification - this is the highest certification level that the industry can have, so use SQL Server is still quite safe. Of course, there is still a gap between orcal, db2, but SQL Server is easy to use and widely becoming the reasons we continue to use. How can I make the SQL Server's setup make people feel relieved?
The first step is definitely the latest security patches on SQL Server, and now the patch has been available to SP3. Download address: http://www.microsoft.com/sql/downloads/2000/sp3.asp. If this is not done, then we have not continued it.
The second step is to modify the default 1433 port and hide SQL Server. This can prohibit response to the broadcast of the existing SQL Server clients attempt to enumerate the network. In addition, you also need to shield the 1433 port in the TCP / IP filter, and hide your SQL Server database as much as possible. So, let the attack created the account of SQL Server, or immediately use the query analyzer to remotely log in to the next attack. If you construct a malicious statement from the ASP, PHP, etc., there is a problem that needs to view the return value, which will not be able to fall by the direct query analyzer. So we must first do it even if others are injected, they can't let the attackers will be smooth. Modification: Enterprise Manager -> Your Database Group -> Properties -> General -> Network Configuration -> TCP / IP -> Properties, modify your default port here, and SQL Server Hidden.
The third step is a very important step, and SQL INJECTION is often generated in web code. As a system administrator or database administrator, you can't always see each code. Even often look at the code, we can't guarantee our negligence above. What should I do? We have to start from the database role to let the database user's permissions to the lowest point. The default rights of SQL Server is really a headache. The permissions are very high. If the permissions are small, sysadmin and db_owner are really love and hate. Attacks one but confirmed that there is a SQL INJECTION vulnerability in the website, and there is certain step by step is how much permissions are to test the SQL Server user of the website. The SQL Server will prompt the error message with SELECT IS_SRVROLEMEMBER ('sysadmin'), or select is_member ('db_owner'), or by user = 0 (let character and digital comparison, SQL Server will prompt the error message, from this information " Some statements such as sensitive information are tested. There is still, I don't dare to say more. It is afraid of the fault, and the people in the alliance are flat. At present, if the website's database user uses SA permissions, add the absolute path you confirmed by the Web, then announce your website over. DB_OWNER privilege, if the absolute path is confirmed, 50% of the opportunity can give your machine in the WEB mode Trojan, such as Haiyang, etc. So we confirm this, we have to create self-propied permissions, let the attacker can't find the lower mouth. Create an example in the SQL Server online help: Create a SQL Server database role (Enterprise Manager) Create a SQL Server Database role 1. Expand the server group, and then expand the server. 2. Expand the Database folder and expand the database you want to create. 3. Right-click "Role" and click New Database Role command. 4. Enter the name of the new role in the Name box. 5. Click Add to add a member to the Standard Role list, and then click one or more users you want to add. (Optional) Only the user in the selected database can be added to the role.
Object privileges requires permission categories called object privileges when processing data or execution procedures: · SELECT, INSERT, UPDATE, and DELETE statement, they can be applied to the entire table or view. · SELECT and UPDATE statement permissions, they can be selectively applied to a single column in the table or view. · SELECT permissions, they can be applied to user-defined functions. · INSERT and DELETE statement permissions, they affect the trial, so they can only be applied to tables or views without being applied to a single column. · Execute statement permissions, they can affect stored procedures and functions.
Statement Permissions Creating a Database or Database (such as a table or stored procedure) The activities involved in the data requires that the other class is called statement authority. For example, if a user must be able to create a table in a database, the user should grant CREATE TABLE statement permission. Statement privileges (such as CREATE DATABASE) apply to statements themselves without applicable to specific objects defined in the database. Statement Permissions include: Backup Database · Create Default · Create Function · Create Procedure · Create Rule · Create Table · CREATE VIEW HED INPORTER TELY Permissions Control Things can only be used by predefined system roles or databases Activities performed by the object owner. For example, the SYSADMIN Fixed Server Role member is automatically inherited in the SQL Server installation to perform all permissions. The database object owner also has suggestive permissions, and all activities can be performed on the objects you have. For example, users who have a table can view, add, or delete data, change table definitions, or control allows other users to operate on the table.
DB_OWNER has all permissions in the database. DB_ACCESSADMIN can add or delete the user ID. DB_SecurityAdmin can manage all permissions, object ownership, role, and role membership. DB_DDLADMIN can issue ALL DDL but cannot issue a GRANT, REVOKE or DENY statement. DB_BACKUPOPERATOR can issue DBCC, CheckPoint, and Backup statements. DB_DataReader can select all the data in any user table in the database. DB_DATAWRITER can change all the data in any user table in the database. DB_DenyDataReader cannot select any of the data in any user table in the database. DB_DENYDATAWRITER cannot change any of the data in any user table in the database.
Configure the newly built database roles here, such as which table, view, stored procedure, etc. need to be used. Then remove DB_OWNER and DB_SECURITYADMIN, DB_BACKUPOPERATOR, do not give attackers Backup Database and Create Table opportunities, one, the attacker has these two permissions, then your website is still in a very dangerous state. Also pay attention to, when you create a database account, you must not choose the server role.
The fourth step is to modify the SQL Server built-in stored procedure. SQL Server estimates are for installation or other aspects, there is a built-in dangerous stored procedure. You can read the registry information, you can write to the registry information, you can read disk sharing information, etc. ... You can see it, you may think, there is other code in my website, not like query analyzer. Can be displayed to output the result. Give you this permission, can't, or you can't see information. If you want to think about it, you have a big mistake. Tip, if the attacker has the permissions of Create Table, create a temporary table, and then the information INSERT is in the table, but SELECT comes out, then compares the number, let SQL Server error, then the result is all out ... So We have to report to the attitude of killing, not letting. First list dangerous built-in stored procedures:
XP_cmdshellxp_regaddmultiTRINGXP_REGDELETEKEYXP_REGDELETEVALUEXP_REGENUMKEYSXP_REGENUMVALUESXP_REGREADXP_REGREMOVEMULTISTRINGXP_REGWRITE
ActiveX automatic script:
Sp_oacreatesp_oadestroysp_oamethodsp_oagetpropertysp_oasetdPropertySp_OAGETERRORINFOSP_OASTOP
The above is all in our block, such as the XP_cmdshell shielding method: sp_dropeXtendedProc 'xp_cmdshell', if needed, use sp_addextendedProc 'xp_cmdshell', 'xpsql70.dll' recovery. If you don't know which .dll file is used by XP_cmdshell, you can use sp_helpextendedProc XP_cmdshell to see which dynamic link library is used by XP_cmdshell. In addition, after the XP_cmdshell is masked, the step we need to do is to change the XPSQL70.dll file to prevent the SA from recovering it.
We do this here, your SQL Server is basically safe. But information is still the same. After all, SELECT we cannot cancel unless your website is HTML. SQL INJECTION prevention requires us to pay attention to it, this is the law of the rules. We then then analyze the security of SQL Server security in advanced settings. This article If there is any wrong leak, please include it. Thank you……
Also recommend, SQL INJECTION test tool NBSI2, which is developed by Comrade Xiaozhu in the Alliance, represents a representative effect on SQL Injection, and the other is the Nbwebshell of the younger brother. These tools can download alliance websites
NB Alliance - Jadesun (Pants) QQ: 280155NB Website: www.54nb.comsql Inject Defense Method - Programmer
Author: NB Union - Kotake
SQL injection is increasingly used to invade websites, and some web programmers have also begun to pay attention to this knowledge, but because of the transition of the invasion, some characters are missing, causing security vulnerabilities; or The grass is all soldiers, and some legal users are refused to do. Imagine that when the user wants to enter I'm A Boy, I will give you a stinky meal. Does he will you want to go to your website? Below, I introduced the defense method of SQL injection from the program. First, I first see the three simplest SQL statement 1.sql = "select * from users where userid =" & requirements) 2. SQL = "SELECT * From users where userid = '"") & "'" 3. SQL = "SELECT * from users where username limited" & requirements "&"% '"first sentence, parameter It is a digital type, this is very obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern . For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed. For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program. Below is two functions, you can call directly to COPY.
'------------------------------------- -------------- 'NB Alliance Anti-Infused Functions Reqnum / Reqstr' -------------------------- ------------------------------------- Function Reqnum (Strname) Reqnum = Request (Strname) if not NOT IsNumeric (Reqnum) The response.write "parameter must be digital!" Response.end end if end function function reqstr (strname) ReqStr = Replace (Strname), "'", "'") End Function Three SQL statements, explain the call method: 1.SQL = "SELECT * from users where userid =" & required ("id") 2. SQL = "SELECT * from users where userid = '" & Reqs " ) & "'" 3. SQL = "SELECT * from users where username like'%" & ReqS ("Name") & "% '" reaffirmed: The above method No matter whether the SQL Server library is still Access or other databases, It is absolutely suitable, absolutely safe, but note that SQL Server stored procedures is an exception, in which case the single quotation number is replaced with four single quotes to protect security. In addition, the NB Alliance - Pants Hand has written an article with SQL Server security settings. When there is a vulnerability, the article can make the invaders or as little privileges and data, and SQL injection has become more and more utilized. Intrusion website, some web programmers have also begun to pay attention to this knowledge, but due to the transition of the invasion method, it is caused to miss some characters when filtered, causing security vulnerabilities; or grass and wood, put some legal user requests Outside the door, I think about it, when the user wants to enter I'm A Boy, I will give you a stinky me, will he will you want to go to your website?
Below, I introduce the defense method of SQL injection from the program, first look at the simplest SQL statement
1.SQL = "SELECT * from users where userid =" & request ("id")
2.SQL = "SELECT * from users where userid = '" & requirements "" ID ") &"' "
3.SQL = "Select * from users where username like '%" & request ("name") & "%'"
The first sentence, the parameter is a digital type, which is obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern . For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed.
For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program.
Below is two functions, you can call directly to COPY.
'------------------------------------- ----------------
'NB Alliance Anti-Infused Function Reqnum / Reqstr
'------------------------------------- ----------------
Function Reqnum (Strname)
Reqnum = Request (Strname)
IF not isnumeric (reqnum) THEN
The response.write "parameter must be digital!"
Response.end
END IF
END FUNCTION
Function ReqStr (Strname)
ReqStr = Replace (Request (Strname), "'", "'")
END FUNCTION
Take the above three SQL statements, explain the call method:
1.SQL = "SELECT * from users where userid =" & repeli ")
2.SQL = "SELECT * from users where userid = '" & ReqSTR ("ID") & "'"
3.SQL = "SELECT * from users where username like '%" & Reqstr ("name") & "%'"
Reaffirming that the above method is absolutely applicable regardless of the SQL Server library or other databases, it is absolutely applicable, absolutely safe, but note that SQL Server stored procedures is an exception. In this case, the single quotation number is replaced with four single quotes. Insurance.
In addition, the NB Alliance-Pants has written a SQLServer security setting, when there is a vulnerability, the article can make the invader or as little permissions and data, how classic NB alliance, is we d Ran! Who is wrong?
