-- 作者:Coral
-- 发布时间:2/1/2005 1:47:00 PM
-- ASP函数过滤的几种方法
转自: 中国站长贴吧 sungla(maomao) 发表于1-28 10:42 1.数字型变量:用isNumeric()判断是否为数字 2.字符型或其它类型变量:将单引号'替换成两个 下面给出两个函数,用来代替ASP的Request函数,只要每处地方使用这两个函数取值,SQL注入根本没有用武之地. '---------------------------------------------------------------- ' 获取数字型参数 '---------------------------------------------------------------- Function ReqNum ( StrName ) ReqNum = Request ( StrName ) if not isNumeric ( ReqNum ) then response.write "参数必须为数字型!" response.end end if End Function '---------------------------------------------------------------- ' 获取字符型参数 '---------------------------------------------------------------- Function ReqStr ( StrName ) ReqStr = Replace ( Request(StrName),"'","‘") End Function ************************************************** '函数名:killbad(苛刻检验) '作 用:过滤非法的SQL字符 '参 数:strChar-----要过滤的字符 '返回值:过滤后的字符 '************************************************** function killbad(strChar) if strChar="" then killbad="" else killbad=replace(replace(replace(replace(replace(replace(replace(replace(strChar,"'","’"),"*","×"),"?","?"),"(","("),")",")"),"<","〈"),".","。"),";",";") end if end function '************************************************** '函数名:kickbad(一般检验) '作 用:过滤非法的SQL字符 '参 数:strChar-----要过滤的字符 '返回值:过滤后的字符 '************************************************** function kickbad(strChar) if strChar="" then kickbad="" else kickbad=replace(replace(replace(replace(replace(replace(replace(strChar,"'","’"),"*","×"),"?","?"),"(","("),")",")"),"<","〈"),";",";") end if end function <% ' 检查非法* dim qs,errc,i qs=request.servervariables("query_string") dim nothis(18) nothis(0)="net user" nothis(1)="xp_cmdshell" nothis(2)="/add" nothis(3)="exec%20master.dbo.xp_cmdshell" nothis(4)="net localgroup administrators" nothis(5)="select" nothis(6)="count" nothis(7)="asc" nothis(8)="char" nothis(9)="mid" nothis(10)="'" nothis(11)=":" nothis(12)="""" nothis(13)="insert" nothis(14)="delete" nothis(15)="drop" nothis(16)="truncate" nothis(17)="from" nothis(18)="%" errc=false for i= 0 to ubound(nothis) if instr(qs,nothis(i))<>0 then errc=true end if next if errc then response.write "<script language=""javascript"">" response.write "parent.alert('很抱歉!你的*作不被允许,请查看您是不是输错了?!确定后将直接转向首页..');" response.write "self.location.href='index.asp';" response.write "</script>" response.end end if %> <% function killbad(strchar) if strchar="" then killbad="" else killbad=replace(strchar,"'","‘") killbad=replace(strchar,";",";") killbad=replace(strchar,",",",") killbad=replace(strchar,"?","?") killbad=replace(strchar,"<","<") killbad=replace(strchar,">",">") killbad=replace(strchar,"(","(") killbad=replace(strchar,")",")") killbad=replace(strchar,"@","@") killbad=replace(strchar,"=","=") killbad=replace(strchar,"+","+") killbad=replace(strchar,"*","*") killbad=replace(strchar,"&","&") killbad=replace(strchar,"#","#") killbad=replace(strchar,"%","%") killbad=replace(strchar,"$","¥") end if end function %> 每页都调用,然后在需要验证的地方加上killbad
|