ASP上两个防止SQL注入式攻击Function

发表于:2007-06-30来源:作者:点击数: 标签:
@#========================== @#过滤提交表单中的 SQL @#========================== function ForSqlForm() dim fqys,errc,i,items dim nothis(18) nothis(0)= .net user" nothis(1)="xp_cmdshell" nothis(2)="/add" nothis(3)="exec%20master.dbo.xp_cmds

@#==========================
@#过滤提交表单中的SQL
@#==========================
function ForSqlForm()
 dim fqys,errc,i,items
 dim nothis(18)
 nothis(0)=.net user"

 nothis(1)="xp_cmdshell"

 nothis(2)="/add"

 nothis(3)="exec%20master.dbo.xp_cmdshell"

 nothis(4)="net localgroup administrators"

 nothis(5)="select"

 nothis(6)="count"

 nothis(7)="asc"

 nothis(8)="char"

 nothis(9)="mid"

 nothis(10)="@#"

 nothis(11)=":"

 nothis(12)=""""

 nothis(13)="insert"

 nothis(14)="delete"

 nothis(15)="drop"

 nothis(16)="truncate"

 nothis(17)="from"

 nothis(18)="%"
 
 @#nothis(19)="@" 

 errc=false

 for i= 0 to ubound(nothis)
  for each items in request.Form
  if instr(request.Form(items),nothis(i))<>0 then
   response.write("<div>")
   response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i))
   response.write("</div>")
   response.write("对不起,你所填写的信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>")
   response.End()
  end if
  next
 next
end function
@#==========================
@#过滤查询中的SQL
@#==========================
function ForSqlInjection()
 dim fqys,errc,i
 dim nothis(19)
 fqys = request.ServerVariables("QUERY_STRING")
 nothis(0)="net user"

 nothis(1)="xp_cmdshell"

 nothis(2)="/add"

 nothis(3)="exec%20master.dbo.xp_cmdshell"

 nothis(4)="net localgroup administrators"

 nothis(5)="select"

 nothis(6)="count"

 nothis(7)="asc"

 nothis(8)="char"

 nothis(9)="mid"

 nothis(10)="@#"

 nothis(11)=":"

 nothis(12)=""""

 nothis(13)="insert"

 nothis(14)="delete"

 nothis(15)="drop"

 nothis(16)="truncate"

 nothis(17)="from"

 nothis(18)="%"
 
 nothis(19)="@" 

 errc=false

 for i= 0 to ubound(nothis)

 if instr(FQYs,nothis(i))<>0 then

 errc=true

 end if

 next

 if errc then
 response.write "查询信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>"
 response.end

 end if

end function

原文转自:http://www.ltesting.net