|
''''==========================
''''过滤提交表单中的SQL
''''==========================
function ForSqlForm()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)="net user" nothis(1)="xp_cmdshell" nothis(2)="/add" nothis(3)="exec%20master.dbo.xp_cmdshell" nothis(4)="net localgroup administrators" nothis(5)="select" nothis(6)="count" nothis(7)="asc" nothis(8)="char" nothis(9)="mid" nothis(10)="''''" nothis(11)=":" nothis(12)="""" nothis(13)="insert" nothis(14)="delete" nothis(15)="drop" nothis(16)="truncate" nothis(17)="from" nothis(18)="%"
''''nothis(19)="@" errc=false for i= 0 to ubound(nothis)
for each items in request.Form
if instr(request.Form(items),nothis(i))<>0 then
response.write("<div>")
response.write("你所填写的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i))
response.write("</div>")
response.write("对不起,你所填写的信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>")
response.End()
end if
next
next
end function
''''==========================
''''过滤查询中的SQL
''''==========================
function ForSqlInjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.ServerVariables("QUERY_STRING")
nothis(0)="net user" nothis(1)="xp_cmdshell" nothis(2)="/add" nothis(3)="exec%20master.dbo.xp_cmdshell" nothis(4)="net localgroup administrators" nothis(5)="select" nothis(6)="count" nothis(7)="asc" nothis(8)="char" nothis(9)="mid" nothis(10)="''''" nothis(11)=":" nothis(12)="""" nothis(13)="insert" nothis(14)="delete" nothis(15)="drop" nothis(16)="truncate" nothis(17)="from" nothis(18)="%"
nothis(19)="@" errc=false for i= 0 to ubound(nothis) if instr(FQYs,nothis(i))<>0 then errc=true end if next if errc then
response.write "查询信息含非法字符!<a href=""#"" onclick=""history.back()"">返回</a>"
response.end end if end function
| 
注:本站部分文章源于互联网,版权归原作者所有!如有侵权,请原作者与本站联系,本站将立即删除! 本站文章除特别注明外均可转载,但需注明出处! [MinTao学以致用网] 