REM ## long integer conversion
Function TONUM (S, Default)
IF isnumeric (s) and s <> "" "
tonum = clng (s)
Else
Tonum = default
END IF
END FUNCTION
Rem ## SQL statement conversion
Function TOSQL (STR)
IF isnull (str) Then Str = ""
TOSQL = Replace (STR, "'", "' ')
END FUNCTION
Example:
DIM SQL
DIM Strwhere, Strname, Intage
Strname = TOSQL (Request ("User"))
INTAGE = Tonum (Request ("Age"), 20)
SQL = "SELECT * FROM [USER]" & _
"Where [agn]>" & strname & _
"And [username] = '" & intage & "'"
Under normal circumstances, through the above two functions, you can prevent the online SQL injection attack! If you feel that there is a need, you can add a replacement of chr (0), change the TOSQL function to the following:
Function TOSQL (STR)
IF isnull (str) Then Str = ""
Str = Replace (STR, CHR (0), "")
TOSQL = Replace (STR, "'", "' ')
END FUNCTION
Another note:
*********************************************************** ********************
Detect the external submission function
Function checkurnRefer ()
DIM Strlocalurl, Inturllen, Strurlrefer
StrlocaRURL = "http://127.0.0.1"
Inturllen = LEN (Strlocalur)
Strurlrefer = LCase (Request.ServerVariables ("http_referer") & ")
'Whether the previous page is from StrlocalURL
IF Left (Strurlrefer, Inturllen) = Strlocalull Then
CheckurnRefer = true
Else
CheckURLREFER = FALSE
END IF
END FUNCTION
*********************************************************** ********************
This function can help you resist the external SQL injection test, just need to call on the header of the page.
Let your ASP program safer by simple two small functions!
