以文本方式查看主题

-  中文XML论坛 - 专业的XML技术讨论区  (http://bbs.xml.org.cn/index.asp)
--  『 Dot NET,C#,ASP,VB 』  (http://bbs.xml.org.cn/list.asp?boardid=43)
----  ASP函数过滤的几种方法  (http://bbs.xml.org.cn/dispbbs.asp?boardid=43&rootid=&id=14189)


--  作者:Coral
--  发布时间:2/1/2005 1:47:00 PM

--  ASP函数过滤的几种方法
转自: 中国站长贴吧   sungla(maomao) 发表于1-28 10:42


1.数字型变量:用isNumeric()判断是否为数字
2.字符型或其它类型变量:将单引号'替换成两个
下面给出两个函数,用来代替ASP的Request函数,只要每处地方使用这两个函数取值,SQL注入根本没有用武之地.

'----------------------------------------------------------------
' 获取数字型参数
'----------------------------------------------------------------
Function ReqNum ( StrName )
ReqNum = Request ( StrName )
if not isNumeric ( ReqNum ) then
  response.write "参数必须为数字型!"
  response.end
end if
End Function

'----------------------------------------------------------------
' 获取字符型参数
'----------------------------------------------------------------
Function ReqStr ( StrName )
ReqStr = Replace ( Request(StrName),"'","‘")
End Function

**************************************************
'函数名:killbad(苛刻检验)
'作 用:过滤非法的SQL字符
'参 数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
function killbad(strChar)
if strChar="" then
killbad=""
else
killbad=replace(replace(replace(replace(replace(replace(replace(replace(strChar,"'","’"),"*","×"),"?","?"),"(","("),")",")"),"<","〈"),".","。"),";",";")
end if
end function

'**************************************************
'函数名:kickbad(一般检验)
'作 用:过滤非法的SQL字符
'参 数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
function kickbad(strChar)
if strChar="" then
kickbad=""
else
kickbad=replace(replace(replace(replace(replace(replace(replace(strChar,"'","’"),"*","×"),"?","?"),"(","("),")",")"),"<","〈"),";",";")
end if
end function

<%
' 检查非法*
dim qs,errc,i
qs=request.servervariables("query_string")
dim nothis(18)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
errc=false
for i= 0 to ubound(nothis)
if instr(qs,nothis(i))<>0 then
errc=true
end if
next
if errc then
response.write "<script language=""javascript"">"
response.write "parent.alert('很抱歉!你的*作不被允许,请查看您是不是输错了?!确定后将直接转向首页..');"
response.write "self.location.href='index.asp';"
response.write "</script>"
response.end
end if

%>


<%

function killbad(strchar)

if strchar="" then

killbad=""

else

killbad=replace(strchar,"'","‘")

killbad=replace(strchar,";",";")

killbad=replace(strchar,",",",")

killbad=replace(strchar,"?","?")

killbad=replace(strchar,"<","<")

killbad=replace(strchar,">",">")

killbad=replace(strchar,"(","(")

killbad=replace(strchar,")",")")

killbad=replace(strchar,"@","@")

killbad=replace(strchar,"=","=")

killbad=replace(strchar,"+","+")

killbad=replace(strchar,"*","*")

killbad=replace(strchar,"&","&")

killbad=replace(strchar,"#","#")

killbad=replace(strchar,"%","%")

killbad=replace(strchar,"$","¥")

end if

end function

%>

每页都调用,然后在需要验证的地方加上killbad


W 3 C h i n a ( since 2003 ) 旗 下 站 点
苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》
15,277.340ms