ASP下的两个防止SQL注入式攻击的Function

用于防止sql注入攻击的 函数,大家可以直接用了,不过大家光会用不行,要增强安全意识

代码如下:

'========================== 
'过滤提交表单中的SQL 
'========================== 
function ForSqlForm() 
dim fqys,errc,i,items 
dim nothis(18) 
nothis(0)="net user" 
nothis(1)="xp_cmdshell" 
nothis(2)="/add" 
nothis(3)="exec%20master.dbo.xp_cmdshell" 
nothis(4)="net localgroup administrators" 
nothis(5)="select" 
nothis(6)="count" 
nothis(7)="asc" 
nothis(8)="char" 
nothis(9)="mid" 
nothis(10)="'" 
nothis(11)=":" 
nothis(12)="""" 
nothis(13)="insert" 
nothis(14)="delete" 
nothis(15)="drop" 
nothis(16)="truncate" 
nothis(17)="from" 
nothis(18)="%" 
'nothis(19)="@"  
errc=false 
for i= 0 to ubound(nothis) 
  for each items in request.Form 
  if instr(request.Form(items),nothis(i))<>0 then 
   response.write("<div>") 
   response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i)) 
   response.write("</div>") 
   response.write("对不起,你所填写的信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>") 
   response.End() 
  end if 
  next 
next 
end function 
'========================== 
'过滤查询中的SQL 
'========================== 
function ForSqlInjection() 
dim fqys,errc,i 
dim nothis(19) 
fqys = request.ServerVariables("QUERY_STRING") 
nothis(0)="net user" 
nothis(1)="xp_cmdshell" 
nothis(2)="/add" 
nothis(3)="exec%20master.dbo.xp_cmdshell" 
nothis(4)="net localgroup administrators" 
nothis(5)="select" 
nothis(6)="count" 
nothis(7)="asc" 
nothis(8)="char" 
nothis(9)="mid" 
nothis(10)="'" 
nothis(11)=":" 
nothis(12)="""" 
nothis(13)="insert" 
nothis(14)="delete" 
nothis(15)="drop" 
nothis(16)="truncate" 
nothis(17)="from" 
nothis(18)="%" 
nothis(19)="@"  
errc=false 
for i= 0 to ubound(nothis) 
if instr(FQYs,nothis(i))<>0 then 
errc=true 
end if 
next 
if errc then 
response.write "查询信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>" 
response.end 
end if 
end function

相关推荐