最新下载
热门教程
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
常用sql防注入过滤函数
时间:2022-07-02 23:09:24 编辑:袖梨 来源:一聚教程网
<%
'option explicit
dim sql_injdata,sql_inj,sql_get,sql_data,sql_post
dim strtemp
SQL_injdata = "'|;|and|exec|insert|select|delete|update|count|*|%20from|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "参数错误!"
response.End()
end if
next
Next
End If
strtemp=request.servervariables("server_name")&request.servervariables("url")&"?"&request.QueryString
strtemp=lcase(strtemp)
if instr(strtemp,"select%20") or instr(strtemp,"insert%20") or instr(strtemp,"delete%20from") or instr(strtemp,"count(") or instr(strtemp,"drop%20table") or instr(strtemp,"update%20") or instr(strtemp,"truncate%20") or instr(strtemp,"asc(") or instr(strtemp,"mid(") or instr(strtemp,"char(") or instr(strtemp,"xp_cmdshell") or instr(strtemp,"exec%20master") or instr(strtemp,"net%20user") or instr(strtemp,"%20or%20") or instr(strtemp,"'") or instr(strtemp,"%20") or instr(strtemp,"""") or instr(strtemp,"“") or instr(strtemp,"”") or instr(strtemp,":") or instr(strtemp,": ") or instr(strtemp,";") or instr(strtemp,"; ") or instr(strtemp,",") or instr(strtemp,", ") or instr(strtemp,"%27") then
response.write "参数错误!"
response.End()
end if
function Replace_Text(fString)
if isnull(fString) then
Replace_Text=""
exit function
else
fString=trim(fString)
fString=replace(fString,"'","’")
fString=replace(fString,";",";")
fString=replace(fString,"--","—")
fString=replace(fString,"and","")
'fString=replace(fString,"or","")
fString=replace(fString,"select","")
fString=replace(fString,"insert","")
fString=replace(fString,"exec","")
fString=replace(fString,"delete","")
fString=replace(fString,"update","")
fString=replace(fString,"count","")
fString=replace(fString,"mid","")
fString=replace(fString,"truncate","")
'fString=replace(fString,"%","")
fString=replace(fString,"chr","")
fString=replace(fString,"master","")
fString=replace(fString,"char","")
fString=replace(fString,"declare","")
fString=replace(fString,"*","")
fString=replace(fString,"from","")
fString=server.htmlencode(fString)
Replace_Text=fString
end if
end function
Function SafeRequest(ParaName)
Dim ParaValue
ParaValue=Request(ParaName)
if IsNumeric(ParaValue) then
SafeRequest=ParaValue
exit Function
else
ParaValuetemp=lcase(ParaValue)
tempvalue="select |insert |delete from|'|count(|drop table|update |truncate |asc(|mid(|char(|xp_cmdshell|exec master|net localgroup administrators|net user| and|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare"
temps=split(tempvalue,"|")
for mycount=0 to ubound(temps)
if Instr(ParaValuetemp,trim(temps(mycount))) > 0 then
response.write "参数错误!"
response.end
end if
next
SafeRequest=ParaValue
end if
End function
Function SafeRequestform(ParaName)
Dim ParaValue
ParaValue=request.form(ParaName)
if IsNumeric(ParaValue) then
SafeRequestform=ParaValue
exit Function
else
ParaValuetemp=lcase(ParaValue)
tempvalue="select |insert |delete from|'|count(|drop table|update |truncate |asc(|mid(|char(|xp_cmdshell|exec master|net localgroup administrators|net user| and|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare"
temps=split(tempvalue,"|")
for mycount=0 to ubound(temps)
if Instr(ParaValuetemp,trim(temps(mycount))) > 0 then
response.write "参数错误!"
response.end
end if
next
SafeRequestform=ParaValue
end if
End function
Sub Check_url()
If Instr(Lcase(request.serverVariables("HTTP_REFERER")),Lcase(request.ServerVariables("SERVER_NAME")))=0 then
response.write "参数错误!"
response.End()
End if
End sub
Sub Check_ID(ID)
If Len(ID)>0 then
If Len(ID)>8 Then
Response.write "参数错误!"
Response.End()
End If
If IsNumeric(ID)=False Then
Response.write "参数错误!"
Response.End()
End If
Else
Response.write "参数错误!"
Response.End()
END If
End Sub
Function HTMLEncode(fString)
If not isnull(fString) then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(9), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "
")
fString = Replace(fString, CHR(10), "
")
'fString=ChkBadWords(fString)
HTMLEncode = fString
End if
End function
function checkNum(numstr)
dim result
if isnull(numstr) or isempty(numstr) or (not isnumeric(numstr)) then
response.Redirect "http://"&request.ServerVariables("SERVER_NAME")&"/error.asp"
ELSE
checkNum = numstr
end if
end function
%>
相关文章
- 王者荣耀侦探能力大测试攻略 王者荣耀侦探能力大测试怎么过 11-22
- 无期迷途主线前瞻兑换码是什么 11-22
- 原神欧洛伦怎么培养 11-22
- 炉石传说网易云音乐联动怎么玩 11-22
- 永劫无间手游确幸转盘怎么样 11-22
- 无期迷途主线前瞻兑换码是什么 无期迷途主线前瞻直播兑换码介绍 11-22