Home>Network programming tutorial>ASP tutorial

Two function codes to prevent SQL injection in ASP

Author:Eve Cole Update Time:2025-01-29 03:12:02

Function SafeRequest(ParaName,ParaType)

'--- Pass in parameters---

'ParaName: parameter name - character type

'ParaType: Parameter type - numeric type (1 indicates that the above parameters are numbers, 0 indicates that the above parameters are characters)

Dim ParaValue

ParaValue=Request(ParaName)

If ParaType=1 then

If not isNumeric(ParaValue) then

Response.write parameter & ParaName & must be numeric!

Response.end

End if

Else

ParaValue=replace(ParaValue, ', ' ')

End if

SafeRequest=ParaValue

End function

Use SafeRequest(ParaName,ParaType) instead of request.form() and request..querystring()

*************************************************** *************************************************** *****

-------------------------------------------------- -------------------------------------------------- ---------------------------------------

*************************************************** *************************************************** *****

<%

dimsql_injdata

sql_injdata= '|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare

sql_injHint=replace(sql_injdata,|, )

sql_injHint=replace(sql_injHint, ', ')

sql_inj=split(sql_injdata,|)

if request.querystring<> then

for each getData in request.querystring

for i=0 to ubound(sql_inj)

if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then

hint=alert( 'To ensure user information security, please do not use illegal injection characters. The following characters are illegal: @sql_injHint@ ');

hint=replace(hint,@sql_injHint@,sql_injHint)

response.write <script language=javascript>

response.write hint

response.write history.back()

response.write </script>

response.end

end if

next

next

end if

if request.form<> then

for each getData in request.querystring

for i=0 to ubound(sql_inj)

if instr(lcase(request.form(getData)),sql_inj(i))>0 then

hint=alert( 'To ensure user information security, please do not use illegal injection characters. The following characters are illegal: @sql_injHint@ ');

hint=replace(hint,@sql_injHint@,sql_injHint)

response.write <script language=javascript>

response.write hint

response.write history.back()

response.write </script>

response.end

end if

next

next

end if

%>Form this code into a file (such as: defanj.asp), and add all the files that need to be used in the database to the header <!--#include file=defanj.asp-->

Related Articles