Author: NB Union - Kotake
PS: Old things, nothing else. I miss the 54NB of the network security business!
SQL injection is increasingly used to invade websites, and some web programmers have also begun to pay attention to this knowledge, but because of the transition of the invasion, some characters are missing, causing security vulnerabilities; or The grass is all soldiers, and some legal users are refused to do. Imagine that when the user wants to enter I'm A Boy, I will give you a stinky meal. Does he will you want to go to your website?
Below, I introduce the defense method of SQL injection from the program, first look at the simplest SQL statement
1.SQL = "SELECT * from users where userid =" & request ("id")
2.SQL = "SELECT * from users where userid = '" & requirements "" ID ") &"' "
3.SQL = "Select * from users where username like '%" & request ("name") & "%'"
The first sentence, the parameter is a digital type, which is obvious. In the second sentence, if the field userid is an int type, some people are unclear. In fact, distinguish between the numbers and character parameters, as long as the SQL statement parameter is available on both sides, it is obvious, the first sentence is not single quotation mark, it is a digital type; the second third sentence has single quotes, is a character pattern .
For digital variables, the incoming parameters are accepted on the SQL statement, because the parameters are digital type, so it is very secure with isnumeric, I have tried to disconnect the parameters such as / 0, but the result It is failed.
For characters variables, the incoming parameters are made as constants, such as you pass 1 and 1 = 1, the SQL statement is userid = '1 and 1 = 1', the value inside the single quotes define the range is only one Constants, to break this range, unique characters are defined characters: single quotes. Therefore, the character type variable is completely safe as long as the 'is filtered, as for how to filter, it is best to replace a single quote to two single quotes, because the SQL statement specifies, the' constant 'is in the constant, constant inside If there is a single quotation, you can replace it with two single quotes. In this way, it can be maintained in the original appearance of the user, but also guarantee the security of the program.
Below is two functions, you can call directly to COPY.
'-------------------------------------------------------------------------------------------------------------------------- ----------------
'NB Alliance Anti-Infused Function Reqnum / Reqstr
'-------------------------------------------------------------------------------------------------------------------------- ----------------
Function Reqnum (Strname)
Reqnum = Request (Strname)
IF not isnumeric (reqnum) THEN
The response.write "parameter must be digital!"
Response.end
END IF
END FUNCTION
Function ReqStr (Strname)
ReqStr = Replace (Request (Strname), "'", "'")
END FUNCTION
Take the above three SQL statements, explain the call method:
1.SQL = "SELECT * from users where userid =" & repeli ")
2.SQL = "SELECT * from users where userid = '" & ReqSTR ("ID") & "'"
3.SQL = "SELECT * from users where username like '%" & Reqstr ("name") & "%'"
Reaffirming that the above method is absolutely applicable regardless of the SQL Server library or other databases, it is absolutely applicable, absolutely safe, but note that SQL Server stored procedures is an exception. In this case, the single quotation number is replaced with four single quotes. Insurance.
In addition, the NB Alliance-Pants has written an article with SQL Server security settings. When there is a vulnerability, the article can make the invader or as little privileges and data, the article has been published in www.54nb.com , I am interested in seeing.
