Rem ## long integer conversion Function Tonum (s, default) if isnumeric (s) and s <> "" "" "" "" "TONUM = CLNG (s) else tonum = default end if End Function Rem ## SQL statement conversion Function TOSQL (STR) If ISNULL (STR) THEN STR = "" TOSQL = Replace (STR, "'", "'") End function example: DIM SQL DIM STRWHERE, STRNAME, INTAGESTRNAME = TOSQL (Request ("User") INTAGE = Tonum (Request ("AGE"), 20) SQL = "SELECT *WHER [AGE]>" & strname & _ "and [username] = '" & intage & "" "
Under normal circumstances, the online SQL injection attack can be eliminated by the above two functions! If you feel that there is a need, you can add a replacement of chr (0), change the TOSQL function to the following: Function TOSQL (STR) IF ISNULL (STR) THEN STR = "" Str = Replace (STR, CHR (0), "") TOSQL = Replace (STR, "'", "'") end function
Another note:
*********************************************************** ************************ The external submission function function checkurlrefer () DIM Strlocalurl, IntURLLEN, StrurlRefer strlocalurl = "http://127.0.0.1" intURLLEN = LEN (strLocalUrl) strUrlRefer = LCase (request.ServerVariables ( "HTTP_REFERER") & "") 'pre-test whether a page from strLocalUrl if Left (strUrlRefer, intUrlLen) = strLocalUrl Then CheckUrlRefer = True Else CheckUrlRefer = False End IfEnd Function *** *********************************************************** ***************** This function can help you resist the external SQL injection test, just need to call the header of the page.
Let your ASP program safer by simple two small functions! Welcome high-end finger (please write out the way the two functions)!
Related Discussion Pages: http://community.9cbs.net/expert/topicview.asp? Id = 3585010HTTP: //community.9cbs.net/expert/topicview.asp? Id = 3582230
Http://community.9cbs.net/expert/topic/3589/3589480.xml?temp=.4866449/
DIM QS, Errc, IIIQs = Request.servervariables ("Query_String") Dim Nothis (18) Nothis (0) = "Net User" Nothis (1) = "xp_cmdshell" Nothis (2) = "/ add" Nothis (3) = "EXEC% 20master.dbo.xp_cmdshell" Nothis (4) = "Net localgroup administrators" Nothis (5) = "SELECT" Nothis (6) = "count" Nothis (7) = "ASC" Nothis (8) = " "Nothis (9) =" MID "Nothis (10) =" '"Nothis (11) =": "Nothis (12) =" "" "Nothis (13) =" insert "Nothis (14) =" delete "Nothis (15) =" DROP "Nothis (16) =" truncate "Nothis (17) =" from "Nothis (18) ="% "Errc = falsefor III = 0 to Ubound (Nothis) IF INSTR (QS, Nothis) (iii)) <> 0 thenerrc = trueend ifnextif by errc thenresponse.write ("Sorry, Illegal URL Address Request!") Response.Endend IF
*********************************************************** ************
Of course, this method is too "absolute", but I have no way. This method is to see online, run on a website, now everything is good. I can only do this for security. I want to filter out if the sensitive words about SQL should be filtered out, and of course, it is basically possible, which can be repaired. I remember that I originally used the prevention method provided above "SQL Injection Tianshu", and later will only be used. Put the code I used to use it for reference, everyone is interested in Baidu or Google to search for "SQL Injection Tianshu"
Use this function to verify the data submitted by the client. . .
<% Function SafeRequest (PARANAME, PARATYPE) '--- Parameter ---' paraName: Parameter Name - Characteristic 'Paratype: Parameter Type - Digital (1 means the above parameters are numbers, 0 means the above parameters are characters)
Dim Paravalue Paravalue = Request (paraName) if parates = 1 Then if not isnumeric (Paravalue) Then response.write "& paraName &" must be digital! "Response.end end if else paravalue = replace (paravalue," "," '' ") End if saverequest = paravalueend function%>
