Prevent SQL Injection Attack

zhaozj2021-02-12  176

SQL Injection Attack is to use a vulnerability using the design, run the SQL command on the target server and the attack on other ways.

Dynamically generates the SQL command to verify the data input by the user is the main reason for the SQL injection attack.

such as:

If your query statement is select * from admin where username = '"& user &"' and password = '"& pwd &"' "

So, if my username is: 1 'or' 1 '=' 1

So, your query statement will become:

Select * from admin where usrname = '1 or' 1 '=' 1 'and password =' ​​"& pwd &" '"

This way your query statement is passed, so you can enter your management interface.

Therefore, it is necessary to check the user's input. Special characters, such as single quotes, double quotes, semicolons, commas, colons, connect numbers, etc. Conversion or filtering.

Special characters and strings that need to be filtered are:

code:

<%

ON Error ResMe next

DIM STRTEMP

IF lcase ("https") = "OFF" then

Strtemp = "http: //"

Else

Strtemp = "https: //"

END IF

Strtemp = Strtemp & Request.ServerVariables ("Server_name")

If Request.ServerVariables ("Server_Port") <> 80 Then Strtemp = Strtemp & "& Request.ServerVariables (" Server_Port ")

Strtemp = Strtemp & Request.ServerVariables ("URL")

If TRIM (Request.queryString) <> "" "" "?" & Trim (request.querystring)

Strtemp = LCASE (Strtemp)

IF INSTR (Strtemp, "SELECT% 20") OR INSTR (Strtemp, "Delete% 20FROM") or inStr (strTemp, ") or Instr (strTemp," Drop % 20table ") or INSTR (Strtemp," Truncate% 20 ") OR INSTR (Strtemp," ASC (") or Instr (Strtemp,") or Instr (strTemp , "char (") or INSTR (Strtemp, "XP_cmdshell") or INSTR (Strtemp, "Net% 20LOCALGROUP% 20Administrators" or inStr (strTemp, ":") or Instr (Strtemp, "Net% 20User") or INSTR (Strtemp, "'") or INSTR (strTemp, "% 20") ThenResponse.write "