Two Functions in ASP to Prevent SQL Injection
-
'========================== -
' Filter SQL language rules in the submission form -
'========================== -
funCtion ForSqlForm() -
dim fqys,errC,i,items -
dim nothis(18) -
nothis(0)="net user" -
nothis(1)="xp_Cmdshell" -
nothis(2)="/add" -
nothis(3)="exeC%20master.dbo.xp_Cmdshell" -
nothis(4)="net loCalgroup administrators" -
nothis(5)="seleCt" -
nothis(6)="Count" -
nothis(7)="asC" -
nothis(8)="Char" -
nothis(9)="mid" -
nothis(10)="' " -
nothis(11)= ":" -
nothis(12)= "" "" -
nothis(13)= "insert" -
nothis(14)= "delete" -
nothis(15)= "drop" -
nothis(16)= "trunCate" -
nothis(17)= "from" -
nothis(18)= "%" -
-
'nothis(19)="@" -
errC=false -
for i= 0 to ubound(nothis) -
for eaCh items in request. Form -
if instr(request.Form(items),nothis(i))<>0 then -
response.write("<div>") -
Response. write ("The information you filled in:"&server. HTMLEnCode (request. Form (items))&"<br>contains illegal char:"¬his (i)) -
response.write("</div>") -
Response. write ("Sorry, the information you filled in contains illegal char!<a href=" "#" "onCliCk=" "history. baCk()" ">Return</a>") -
response. End() -
end if -
next -
next -
end funCtion -
' ========================== -
'Filter SQL language rules in query -
' ========================== -
funCtion ForSqlInjeCtion() -
dim fqys,errC,i -
dim nothis(19) -
fqys = request. ServerVariables( "QUERY_STRING" ) -
nothis(0)= "net user" -
nothis(1)= "xp_Cmdshell" -
nothis(2)= "/add" -
nothis(3)= "exeC%20master.dbo.xp_Cmdshell" -
nothis(4)= "net loCalgroup administrators" -
nothis(5)= "seleCt" -
nothis(6)= "Count" -
nothis(7)= "asC" -
nothis(8)= "Char" -
nothis(9)= "mid" -
nothis(10)= "'" -
nothis(11)= ":" -
nothis(12)= "" "" -
nothis(13)= "insert" -
nothis(14)= "delete" -
nothis(15)= "drop" -
nothis(16)= "trunCate" -
nothis(17)= "from" -
nothis(18)= "%" -
-
nothis(19)= "@" -
errC= false -
for i= 0 to ubound(nothis) -
if instr(FQYs,nothis(i))<>0 then -
errC= true -
end if -
next -
if errC then -
response.write "Query information contains illegal char!<a href=" "#" " onCliCk=" "history.baCk()" ">Return to</a>" -
response.end -
end if -
end funCtion