Two Functions in ASP to Prevent SQL Injection
-
'========================== -
' Filter SQL language rules in the submission form -
'========================== -
funCtion ForSqlForm() -
dim fqys, errC,i,items -
dim nothis(18) -
nothis(0)="net user" -
nothis(1)="xp_Cmdshell" -
nothis(2)="/add" -
nothis(3)="exeC%20master.dbo.xp_Cmdshell" -
nothis(4)="net loCalgroup administrators" -
nothis(5)="seleCt" -
nothis(6)="Count" -
nothis(7)="asC" -
nothis(8)="Char" -
nothis(9)="mid" -
nothis(10)="' " -
nothis(11)= ":" -
nothis(12)= "" "" -
nothis(13)= "insert" -
nothis(14)= "delete" -
nothis(15)= "drop" -
nothis(16)= "trunCate" -
nothis(17)= "from" -
nothis(18)= "%" -
-
'nothis(19)="@" -
errC=false -
for i= 0 to ubound(nothis) -
for eaCh items in request. Form -
if instr(request.Form(items),nothis(i))<>0 then -
response.write("<div>") -
Response. write ("The information you filled in:" & server. HTMLEnCode (request. Form (items))&"<br>contains illegal char:"¬his (i)) -
response.write("</div>") -
Response. write ("Sorry, the information you filled in contains illegal char!<a href=" "#" "onCliCk=" "history. baCk()" ">Return</a>") -
response. End() -
end if -
next -
next -
end funCtion -
' ========================== -
'Filter SQL language rules in query -
' ========================== -
funCtion ForSqlInjeCtion() -
dim fqys,errC,i -
dim nothis(19) -
fqys = request. ServerVariables( "QUERY_STRING" ) -
nothis(0)= "net user" -
nothis(1)= "xp_Cmdshell" -
nothis(2)= "/add" -
nothis(3)= "exeC%20master.dbo.xp_Cmdshell" -
nothis(4)= "net loCalgroup administrators" -
nothis(5)= "seleCt" -
nothis(6)= "Count" -
nothis(7)= "asC" -
nothis(8)= "Char" -
nothis(9)= "mid" -
nothis(10)= "'" -
nothis(11)= ":" -
nothis(12)= "" "" -
nothis(13)= "insert" -
nothis(14)= "delete" -
nothis(15)= "drop" -
nothis(16)= "trunCate" -
nothis(17)= "from" -
nothis(18)= "%" -
-
nothis(19)= "@" -
errC= false -
for i= 0 to ubound(nothis) -
if instr(FQYs,nothis(i))<>0 then -
errC= true -
end if -
next -
if errC then -
response.write "Query information contains illegal char!<a href=" "#" " onCliCk=" "history.baCk()" ">Return to</a>" -
response.end -
end if -
end funCtion
Related articles
Textarea scroll bar property settings CSS with text exceeding the number of characters displayed with ellipsis Query tool for prohibited words in the new advertising law The display: block of tr in the table is displayed incorrectly in Firefox How to build a JSP environment on the server and what software needs to be installed? Solution to not displaying zblog keywords