Function SafeRequest(ParaName,ParaType)
’--- 传入参数 ---
’ParaName:参数名称-字符型
’ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "参数" & ParaName & "必须为数字型!"
Response.end
End if
Else
ParaValue=replace(ParaValue,"’","’’")
End if
SafeRequest=ParaValue
End function
用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")
*********************************************************************************************************
-------------------------------------------------------------------------------------------------------------------------------------------
*********************************************************************************************************
<%
dim sql_injdata
sql_injdata="’|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_injHint=replace(sql_injdata,"|"," ")
sql_injHint=replace(sql_injHint,"’","’")
sql_inj=split(sql_injdata,"|")
if request.querystring<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
hint="alert(’为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@’);"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
if request.form<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.form(getData)),sql_inj(i))>0 then
hint="alert(’为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@’);"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
%>将此段代码形成一个文件 (如:defanj.asp),将所有要用到数据库的文件头部加入<!--#include file=defanj.asp-->
新闻热点
疑难解答