SQL injection vulnerabilities can be described as "a thousand miles of embankments, collapsed in the ant hole", which is extremely common online, usually because the programmer does not understand, or the program is not strict, or a parameter is forgotten. Here, I will give you a function, instead of the Request function in the ASP, can inject SAY NO to all SQL, the function is as follows:
Function SafeRequest (PARANAME, PARATYPE) '--- Incoming Parameters ---' PARANAME: Parameter Name - Characteristic 'Paratype: Parameter Type - Digital (1 means the above parameters are numbers, 0 means the above parameters are character)
DIM Paravalue Paravalue = Request (paraName) if Paratype = 1 Then if paravalue = "" or not isnumeric (paravalue) Then response.write "& paraName &" must be digital! "Response.end end if else Paravalue = Replace (Paravalue, "'" "") end if SafeRequest = ParavalueEnd Function
Function SafeRequest (PARANAME, PARATYPE) '--- Incoming Parameters ---' PARANAME: Parameter Name - Characteristic 'Paratype: Parameter Type - Digital (1 means the above parameters are numbers, 0 means the above parameters are character)
DIM Paravalue Paravalue = Request (paraName) if Paratype = 1 Then if paravalue = "" or not isnumeric (paravalue) Then response.write "& paraName &" must be digital! "Response.end end if else Paravalue = Replace (Paravalue, "'" "") end if SafeRequest = ParavalueEnd Function
