首页 > 编程 > ASP > 正文

ASP防SQL注入的两种函数代码

2024-05-04 11:07:26
字体:
来源:转载
供稿:网友

Function SafeRequest(ParaName,ParaType) 
’--- 传入参数 --- 
’ParaName:参数名称-字符型 
’ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符) 

Dim ParaValue 
ParaValue=Request(ParaName) 
If ParaType=1 then 
If not isNumeric(ParaValue) then 
Response.write "参数" & ParaName & "必须为数字型!" 
Response.end 
End if 
Else 
ParaValue=replace(ParaValue,"’","’’") 
End if 
SafeRequest=ParaValue 
End function 

用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")

   *********************************************************************************************************

-------------------------------------------------------------------------------------------------------------------------------------------

   *********************************************************************************************************

<%
dim sql_injdata
sql_injdata="’|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_injHint=replace(sql_injdata,"|"," ")
sql_injHint=replace(sql_injHint,"’","’")
sql_inj=split(sql_injdata,"|")

if request.querystring<>"" then
    for each getData in request.querystring
    for i=0 to ubound(sql_inj)
        if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
        hint="alert(’为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@’);"
        hint=replace(hint,"@sql_injHint@",sql_injHint)
        response.write "<script language=javascript>"
        response.write hint
        response.write "history.back()"
        response.write "</script>"
        response.end
      end if
    next
    next
end if

if request.form<>"" then
    for each getData in request.querystring
    for i=0 to ubound(sql_inj)
        if instr(lcase(request.form(getData)),sql_inj(i))>0 then
        hint="alert(’为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@’);"
        hint=replace(hint,"@sql_injHint@",sql_injHint)
        response.write "<script language=javascript>"
        response.write hint
        response.write "history.back()"
        response.write "</script>"
        response.end
      end if
    next
    next
end if
%>将此段代码形成一个文件 (如:defanj.asp),将所有要用到数据库的文件头部加入<!--#include file=defanj.asp-->

发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表