ASP中两个防止SQL注入的Function
ASP中两个防止SQL注入的Function
代码如下:
- '==========================
- '过滤提交表单中的SQL语言规则
- '==========================
- funCtion ForSqlForm()
- dim fqys,errC,i,items
- dim nothis(18)
- nothis(0)="net user"
- nothis(1)="xp_Cmdshell"
- nothis(2)="/add"
- nothis(3)="exeC%20master.dbo.xp_Cmdshell"
- nothis(4)="net loCalgroup administrators"
- nothis(5)="seleCt"
- nothis(6)="Count"
- nothis(7)="asC"
- nothis(8)="Char"
- nothis(9)="mid"
- nothis(10)="'"
- nothis(11)=":"
- nothis(12)=""""
- nothis(13)="insert"
- nothis(14)="delete"
- nothis(15)="drop"
- nothis(16)="trunCate"
- nothis(17)="from"
- nothis(18)="%"
- 'nothis(19)="@"
- errC=false
- for i= 0 to ubound(nothis)
- for eaCh items in request.Form
- if instr(request.Form(items),nothis(i))<>0 then
- response.write("<div>")
- response.write("你所填写的信息:" & server.HTMLEnCode(request.Form(items)) & "<br>含非法char:" & nothis(i))
- response.write("</div>")
- response.write("对不起,你所填写的信息含非法char!<a href=""#"" onCliCk=""history.baCk()"">返回</a>")
- response.End()
- end if
- next
- next
- end funCtion
- '==========================
- '过滤查询中的SQL语言规则
- '==========================
- funCtion ForSqlInjeCtion()
- dim fqys,errC,i
- dim nothis(19)
- fqys = request.ServerVariables("QUERY_STRING")
- nothis(0)="net user"
- nothis(1)="xp_Cmdshell"
- nothis(2)="/add"
- nothis(3)="exeC%20master.dbo.xp_Cmdshell"
- nothis(4)="net loCalgroup administrators"
- nothis(5)="seleCt"
- nothis(6)="Count"
- nothis(7)="asC"
- nothis(8)="Char"
- nothis(9)="mid"
- nothis(10)="'"
- nothis(11)=":"
- nothis(12)=""""
- nothis(13)="insert"
- nothis(14)="delete"
- nothis(15)="drop"
- nothis(16)="trunCate"
- nothis(17)="from"
- nothis(18)="%"
- nothis(19)="@"
- errC=false
- for i= 0 to ubound(nothis)
- if instr(FQYs,nothis(i))<>0 then
- errC=true
- end if
- next
- if errC then
- response.write "查询信息含非法char!<a href=""#"" onCliCk=""history.baCk()"">返回</a>"
- response.end
- end if
- end funCtion
