| 〖打印本页〗〖打印选项〗 |
| ASP 中 SQL 防注入程序代码 |
| 将以下代码保存为 *.asp,如 SQL.asp,然后在每个 ASP 页面的头部加入 <!--#include file="SQL.asp"-->,一般只要在前台页面加入即可,后台的页面因为要经常添加数据,为防止过滤检测,还是不要加入这段代码。
<% dim GuFormGet dim GuStringFormGet,GuStringFormPost dim RequestKey,i,j GuStringFormGet="'|);|and|select|exec|update|count|*|%|chr|mid|master|truncate|char|declare|delete|%20from|insert|=" GuStringFormPost="'|%|&|*|#|=|select|and|set|delete" GuStringFormGet=Split(GuStringFormGet,"|") GuStringFormPost=Split(GuStringFormPost,"|") if LCase(Request.ServerVariables("REQUEST_METHOD"))="get" then GuFormGet=true else GuFormGet=false end if if GuFormGet then for each RequestKey in Request.QueryString for i=0 to Ubound(GuStringFormGet) if InStr(LCase(Request.QueryString(RequestKey)),GuStringFormGet(i))<>0 then call GuMessageSQL() end if next next else for each RequestKey in Request.Form for j=0 to Ubound(GuStringFormPost) if InStr(LCase(Request.Form(RequestKey)),GuStringFormPost(j))<>0 then call GuMessageSQL() end if next next end if sub GuMessageSQL() Response.write "<html>" &vbCrLf Response.write "<head>" &vbCrLf Response.write "<title>网站名称</title>" &vbCrLf Response.write "<meta http-equiv=""Content-Type"" content=""text/html;charset=gb2312"">" &vbCrLf Response.write "<meta http-equiv=""Content-Language"" Content=""zh-CN"">"&vbCrLf Response.write "</head>" &vbCrLf Response.write "" &vbCrLf Response.write "<body>" &vbCrLf Response.write "" &vbCrLf Response.write "<span style=""font-family:宋体;font-size:14px;color:#FF0000;"">数据提交失败,表单中包含特殊字符。</span><br><br>" &vbCrLf Response.write "<a href=""#"" onclick=""JavaScript:history.go(-1);"" style=""font-family:宋体;font-size:12px;color:#C0C0C0;text-decoration:none;"">[后退]</a>" &vbCrLf Response.write "" &vbCrLf Response.write "</body>" &vbCrLf Response.write "</html>" &vbCrLf Response.end end sub %> 文章作者:未知 |