当前页面位置: » 丰搜网 » 文档中心 » 详细内容
asp上两个防止sql注入式攻击function
'==========================
'过滤提交表单中的sql
'==========================
function forsqlform()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)=.net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)=.net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
'nothis(19)="@"
errc=false
for i= 0 to ubound(nothis)
for each items in request.form
if instr(request.form(items),nothis(i))<>0 then
response.write("<div>")
response.write("你所填写的信息:" & server.htmlencode(request.form(items))
& "<br>含非法字符:" & nothis(i))
response.write("</div>")
response.write("对不起,你所填写的信息含非法字符!
<a href=""#"" onclick=""history.back()"">返回</a>")
response.end()
end if
next
next
end function
'==========================
'过滤查询中的sql
'==========================
function forsqlinjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.servervariables("query_string")
nothis(0)=.net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)=.net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
nothis(19)="@"
errc=false
for i= 0 to ubound(nothis)
if instr(fqys,nothis(i))<>0 then
errc=true
end if
next
if errc then
response.write "查询信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>"
response.end
end if
end function
