asp防sql注入代码
'Asp防注入代码 Dim SQL_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post SQL_injdata =lcase(":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'") SQL_injdata =SQL_injdata&lcase("|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|script") SQL_inj = split(SQL_Injdata,"|") if Request.QueryString<>"" then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if not IsNumeric(Request.QueryString(SQL_Get)) then if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then Response.Write "对不起,非法URL地址请求!!" Response.end end if end if next next end if if Request.Form<>"" then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then Response.Write "对不起,非法数据提交!" Response.end end if next next end if 'if Request.Cookies<>"" then ' For Each Sql_Post In Request.Cookies ' For SQL_Data=0 To Ubound(SQL_inj) ' if instr(lcase(Request.Cookies(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then ' Response.Write "对不起,非法URL地址请求!" ' Response.end ' end if ' next ' next 'end if 'post过滤sql注入代防范及HTML防护开始 function nosql(str) if not isnull(str) then str=trim(str) str=replace(str,";",";") '分号 str=replace(str,"'","'") '单引号 str=replace(str,"""",""") '双引号 str=replace(str,"chr(9)"," ") '空格 str=replace(str,"chr(10)","<br>") '回车 str=replace(str,"chr(13)","<br>") '回车 str=replace(str,"chr(32)"," ") '空格 str=replace(str,"chr(34)",""") '双引号 str=replace(str,"chr(39)","'") '单引号 str=Replace(str, "script", "script")'jscript str=replace(str,"<","<") '左< str=replace(str,">",">") '右> str=replace(str,"(","(") '左( str=replace(str,")",")") '右) str=replace(str,"--","--") 'SQL注释符 str=replace(str,"net user","") str=replace(str,"xp_cmdshell","") str=replace(str,"/add","") str=replace(str,"exec%20master.dbo.xp_cmdshell","") str=replace(str,"net localgroup administrators","") str=replace(str,"select","") str=replace(str,"count","") str=replace(str,"asc","") str=replace(str,"char","") str=replace(str,"mid","") str=replace(str,":","") str=replace(str,"insert","") str=replace(str,"delete","") str=replace(str,"drop","") str=replace(str,"truncate","") str=replace(str,"from","") str=replace(str,"%","") nosql=str end if end function
最近在用老掉牙的asp做点东东,找到一个好用的防注入代码,收藏一下。