防止sql注入！ - 飘凌 blog

飘凌 blog

2008/1/22 22:05:08

防止sql注入！

     ’ ============================================
’ 得到安全字符串,在查询中使用
’ 作者：xiang6963摘自sql注入天书
’ ============================================
’Function Get_SafeStr(str)
’ Get_SafeStr = Replace(Replace(Replace(Trim(str), "’", ""), Chr(34), ""), ";", "")
’End Function
Function SafeRequest(ParaName,ParaType)
         ’--- 传入参数 ---
         ’ParaName:参数名称-字符型
         ’ParaType:参数类型-数字型(1表示以上参数是数字，0表示以上参数为字符)
         Dim ParaValue
         ParaValue=Request(ParaName)
         If ParaType=1 then
                If not isNumeric(ParaValue) then
                       Response.write "参数" & ParaName & "必须为数字型！"
                       Response.end
                End if
         Else
                ParaValue=replace(ParaValue,"’","’’")
         End if
         SafeRequest=ParaValue
End function
---------------------------------------------------------------------------------------
第二种！第三种眯起来！
<%
’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’
’ASP通用防注入代码
’您可以把该代码COPY到头文件中.也可以单独作
’为一个文件存在,每次调用使用
’作者:y3gu - 2005-7-29
’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’’
ErrorSql = "’~;~and~(~)~exec~update~count~*~%~chr~mid~or~delete~master~truncate~char~declare" Rem(每个敏感字符或者词语请使用半角 "~" 格开)
ErrorSql = split(ErrorSql,"~")
If Request.ServerVariables("REQUEST_METHOD")="GET" Then
GetFlag=True
Else
GetFlag=False
End If
If GetFlag Then
For Each RequestKey In Request.QueryString
For ForI=0 To Ubound(ErrorSql)
If Instr(LCase(Request.QueryString(RequestKey)),ErrorSql(ForI))<>0 Then
response.write "<script>alert(""警告:\n请不要使用敏感字符"");location.href=""default.asp"";</script>"
Response.End
End If
Next
Next
Else
For Each RequestKey In Request.Form
For ForI=0 To Ubound(ErrorSql)
If Instr(LCase(Request.Form(RequestKey)),ErrorSql(ForI))<>0 Then
response.write "<script>alert(""警告:\n请不要使用敏感字符"");location.href=""default.asp"";</script>"
Response.End
End If
Next
Next
End If
%>

飘凌blog 管理