SQL Injection Attack is to use a vulnerability using the design, run the SQL command on the target server and the attack on other ways.
Dynamically generates the SQL command to verify the data input by the user is the main reason for the SQL injection attack.
such as:
If your query statement is select * from admin where username = '"& user &"' and password = '"& pwd &"' "
So, if my username is: 1 'or' 1 '=' 1
So, your query statement will become:
Select * from admin where usrname = '1 or' 1 '=' 1 'and password =' "& pwd &" '"
This way your query statement is passed, so you can enter your management interface.
Therefore, it is necessary to check the user's input. Special characters, such as single quotes, double quotes, semicolons, commas, colons, connect numbers, etc. Conversion or filtering.
Special characters and strings that need to be filtered are:
code:
<%
ON Error ResMe next
DIM STRTEMP
IF lcase ("https") = "OFF" then
Strtemp = "http: //"
Else
Strtemp = "https: //"
END IF
Strtemp = Strtemp & Request.ServerVariables ("Server_name")
If Request.ServerVariables ("Server_Port") <> 80 Then Strtemp = Strtemp & "& Request.ServerVariables (" Server_Port ")
Strtemp = Strtemp & Request.ServerVariables ("URL")
If TRIM (Request.queryString) <> "" "" "?" & Trim (request.querystring)
Strtemp = LCASE (Strtemp)
IF INSTR (Strtemp, "SELECT% 20") OR INSTR (Strtemp, "Delete% 20FROM") or inStr (strTemp, ") or Instr (strTemp," Drop % 20table ") or INSTR (Strtemp," Truncate% 20 ") OR INSTR (Strtemp," ASC (") or Instr (Strtemp,") or Instr (strTemp , "char (") or INSTR (Strtemp, "XP_cmdshell") or INSTR (Strtemp, "Net% 20LOCALGROUP% 20Administrators" or inStr (strTemp, ":") or Instr (Strtemp, "Net% 20User") or INSTR (Strtemp, "'") or INSTR (strTemp, "% 20") ThenResponse.write "
