SQL injection has been tasted by the so-called hacker masters of those rookie levels. It is found that most of the hacker invasion is based on SQL injection. Oh, who makes this entry easy, ok, don't talk nonsense, Now I start to say that if you write a generic SQL anti-infusion program, the HTTP request is nothing more than getting GET and POST, so as long as we filter all the illegal characters in all POST or GET requests, we implemented HTTP requests. Information filtration can be judged whether it is subjected to SQL injection attack. The GET request passed to the ASP.dll is in the form of a string, and when it is passed to the request.QueryString data, the ASP parser analyzes the information of request.QueryString, and then divides each array according to "&" So the internal data is the first we define the following character '| and | exec | insert | SELECT | DELETE | CHR | MID | MASTER | TRUNCATE | CHAR | MASTER | TRUNCATE | CHAR | MASTER | TRUNCATE | CHAR | MASTER | TRUNCATE | CHAR | Separate with "|", then we judge the obtained Request.QueryString specific code as follows DIM SQL_INJDATA SQL_INJDATA = "'| and | EXEC | INSERT | SELECT | DELETE | Update | Count | * |% | CHR | MID | MASTER | truncate | char | declare "SQL_inj = split (SQL_Injdata," | ") If Request.QueryString <>" "Then For Each SQL_Get In Request.QueryString For SQL_Data = 0 To Ubound (SQL_inj) if instr (Request.QueryString (SQL_Get ), SQL_INJ (SQL_DATA))> 0 Ten Response.write "
