Author of the article: sunlion [E.S.T] (Blood Dance [E.S.T])
Source: Evil Eight Bao China
I wrote a post on parameter filtering, I remember that the INSTR function was used at that time, but I had a comparison of a parameter. To enable filtering a lot of parameters, then add a lot of filter symbols in the comparison zone. Today, that is, today, the author brings a more perfect filtering method, which is an isNumeric () function in Microsoft's VBScript! Ok, talk nonsense, let's take a look at his description and usage:
ISNUMERIC function description
Returns the Boolean value indicates whether the value of the expression is a number.
grammar
IsNumeric (Expression)
The Expression parameter can be any expression.
Description
If the entire Expression is identified as a number, the ISNUMERIC function returns true;
Otherwise the function returns false.
If Expression is a date expression, the ISNUMERIC function returns false.
Ok, have you understood it?
The isnumeric () This function is the expression of the expression in parentheses, see if it is a number, if the number is returned to True, if the non-number returns false, the principle of the basics, then we can use
If not isnumeric ("ID")) "INDEX.ASP"
The same reason, you can also add what you want later, if you don't forget to add one
Response.end
Indicates the end!
Now give you the following, this sentence means: If the parameter behind the ID on the IE address bar is not a number, then the statement behind the TEN is implemented!
Everyone saw it, here is the place where the housekeeper is, so I said "Perfect Filter"!
For example, if you have a vulnerability when you have a vulnerability, it is generally behind the ID, add some special symbols to achieve the goal we want! And the function is our natural enemy!
As long as you add, metaphor, (') or (;) or (,) or (and 1 = 1), etc.,
All the ID has changed to non-numbers, that is, the statement behind the THEN is implemented!
Thus our filtration!
Haha, ok, parameter filtering today is here!
I have to work now :(!
