SQLInjection 방어하기

Sub f_injection(query_string)

 

   Dim InjectAttack : InjectAttack = False

   Dim strSource, strTemp, strResult, strchr

   Dim lngPos, AddNum, IFKor

   strSource = Replace(query_string, "+", " ")

   

For lngPos = 1 To Len(strSource)                                            ' 쿼리문을 디코딩한다.

        AddNum  = 2

        strTemp = Mid(strSource, lngPos, 1)

        If strTemp = "%" Then

            If lngPos + AddNum < Len(strSource) + 1 Then

                strchr = CInt("&H" & Mid(strSource, lngPos + 1, AddNum))

                If strchr > 130 Then

                    AddNum = 5

                    IFKor = Mid(strSource, lngPos + 1, AddNum)

                    IFKor = Replace(IFKor, "%", "")

                    strchr = CInt("&H" & IFKor )

                End If

                strResult = strResult & Chr(strchr)

                lngPos    = lngPos + AddNum

            End If

        Else

            strResult = strResult & strTemp

        End If

    Next

 

    Dim wordFile, injectionTxt

    Set wordFile = objFso.OpenTextFile("F:injection_word.txt",1)            ' 공격자가 입력할 예상단어를 txt에 저장한 후 불러온다.

        injectionTxt = wordFile.readAll

        wordFile.Close

    Set wordFile = Nothing

 

    strResult = LCase(strResult)

    injection_filter_arr = Split(Replace(injectionTxt," ",""), ",")

 injection_filter_cnt = Ubound(injection_filter_arr)

 

    For j = 0 To injection_filter_cnt

      injection_filter = Replace(injection_filter_arr(j),Chr(13)&Chr(10),"")      ' 메모장 Enter값 치환

      If InStr( strResult, injection_filter ) > 0 Then

        InjectAttack = True

        Exit For

      End If

    Next

 

    If (InjectAttack = True) Then                                                  ' 쿼리내용을 저장하고 하단부터 출력하지 않는다.

      adoConn.Execute "쿼리문저장하기"

      Response.End

    End If

 

End Sub

 

Call f_injection(Request.ServerVariables("PATH_INFO")&"?"&Request.QueryString)