asp防sql注入与文本框防sql注入的代码
本节内容:
防止sql注入的asp代码
一,防注入
'-过滤危险字符,防止sql注入
dim sql_injdata
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('SQL通用防注入系統提示,請不要在參數中包含非法字符嘗試注入!');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('SQL通用防注入系統提示,請不要在參數中包含非法字符嘗試注入');history.back(-1)</Script>"
Response.end
end if
next
next
end if
%>
二,处理SQL注入的函数
Function SafeReplace(ParaName)
'--- 传入参数 ---
'ParaName:参数名称-字符型,
Dim Paravalue
Paravalue=LCase(Trim(ParaName))
Paravalue=Replace(Paravalue,"select","")
Paravalue=Replace(Paravalue,"insert","")
Paravalue=Replace(Paravalue,"updata","")
Paravalue=Replace(Paravalue,"addnew","")
Paravalue=Replace(Paravalue,"delete","")
Paravalue=Replace(Paravalue,"order","")
Paravalue=Replace(Paravalue,"and","")
Paravalue=Replace(Paravalue,"or","")
Paravalue=Replace(Paravalue,"exec","")
Paravalue=Replace(Paravalue,"--","")
Paravalue=Replace(Paravalue,"-","")
Paravalue=Replace(Paravalue,";","")
Paravalue=Replace(Paravalue,"%","")
Paravalue=Replace(Paravalue,"<","")
Paravalue=Replace(Paravalue,">","")
Paravalue=Replace(Paravalue,"(","")
Paravalue=Replace(Paravalue,")","")
Paravalue=Replace(Paravalue,"window.open","")
Paravalue=Replace(Paravalue,"window.close","")
Paravalue=Replace(Paravalue,"while(1)","")
Paravalue=Replace(Paravalue,"script","")
Paravalue=Replace(Paravalue,"'","")
Paravalue=Replace(Paravalue,chr(34),"")
Paravalue=Replace(Paravalue,chr(39),"")
SafeReplace=Paravalue
End function
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim Paravalue
Paravalue=Request(ParaName)
If ParaType=1 then
'添加非空判断Paravalue=replace(Paravalue,"-","")
If Paravalue="" then
'Response.write "参数" & ParaName & "不能为空!"
Response.Write("<script language='javascript1.2'>history.go(-1)</script>")
Response.end
elseIf not isNumeric(Paravalue) then
'Response.write "参数" & ParaName & "必须为数字型!"
Response.Write("<script language='javascript1.2'>history.go(-1)</script>")
Response.end
End if
Else
Paravalue=replace(Paravalue,"'","''")
End if
SafeRequest=Paravalue
End function
三,反处理htmlencode的代码
strEncode=LCase(strEncode)
strEncode=Replace(strEncode,"&","&")
strEncode=Replace(strEncode,"<","<")
strEncode=Replace(strEncode,">",">")
strEncode=Replace(strEncode,""",Chr(34))
strEncode=Replace(strEncode,"<br>","/r/n")
strEncode=Replace(strEncode," "," ")
HTMLDecode = strEncode
End Function
四,去掉html标签的正则
dim re
Set re=new RegExp
re.IgnoreCase = true
re.Global=True
re.Pattern="(/<.[^/<]*/>)"
str=re.replace(str," ")
re.Pattern="(/<//[^/<]*/>)"
str=re.replace(str," ")
nohtml=str
set re=nothing
End function
您可能感兴趣的文章:
php防止SQL注入攻击与XSS攻击的方法
php防范sql注入方法与实例代码
如何防止SQL注入
php过滤注入变量的实例代码
分享discuz的php防止sql注入函数
防止sql注入与跨站攻击的代码分享(初级实用型)
php防止sql注入的代码示例
php防SQL注入代码(360提供)
ASP SQL防注入的方法
php实现防注入与表单提交值转义的代码