SQL injection has been played by the so-called hacker masters of those levels, and it is found that most hacker intrusions are now based on SQL injection. Hey, who makes it easy to get started? Okay, let’s not talk nonsense, now I start to say what if Write a general SQL anti-injection program. General http requests are nothing more than get and post, so as long as we filter all illegal characters in the post or parameter information in the get request in the file, we can judge by implementing http request information filtering. Is it subject to SQL injection attack?
The get request passed by IIS to asp.dll is in the form of a string. When the data is passed to Request.QueryString, the asp parser will analyze the information of Request.QueryString, and then separate the contents of each array according to "&" The data is intercepted as follows:
First, we define that the following characters cannot be included in the request:
|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare
Each character is separated by "|", and then we determine the Request.QueryString obtained. The specific code is as follows:
dim sql_injdata
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=****>alert('World Movie Alliance SQL Universal Anti-injection System Prompt ↓nn Please do not include illegal characters in the parameters and try to inject!'); history.back(-1)</ Script>"
Response.end
end if
next
Next
End If
In this way, we have implemented the injection interception of get requests, but we still need to filter post requests, so we have to continue to consider request.form, which also exists in the form of an array. We only need to make another loop judgment. The code is as follows:
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=****>alert('World Movie Alliance SQL Universal Anti-injection System Prompt ↓nn Please do not include illegal characters in the parameters and try to inject! nnHTTP: //www.521movie.com '); history.back(-1)</Script>"
Response.end
end if
next
next
end if
Okay, you're done. We have implemented information interception for get and post requests. You only need to reference this page before opening a database file such as conn.asp. You can continue to develop your program without worrying about whether you will be attacked by SQL injection again. Isn't it?