''==========================
''过滤提交表单中的SQL
''==========================
function ForSqlForm()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)='net user'
nothis(1)='xp_cmdshell'
nothis(2)='/add'
nothis(3)='exec%20master.dbo.xp_cmdshell'
nothis(4)='net localgroup administrators'
nothis(5)='select'
nothis(6)='count'
nothis(7)='asc'
nothis(8)='char'
nothis(9)='mid'
nothis(10)=''''
nothis(11)=':'
nothis(12)=''''
nothis(13)='insert'
nothis(14)='delete'
nothis(15)='drop'
nothis(16)='truncate'
nothis(17)='from'
nothis(18)='%'
''nothis(19)='@'
errc=false
for i= 0 to ubound(nothis)
for each items in request.Form
if instr(request.Form(items),nothis(i))<>0 then
response.write('<div>')
response.write('你所填写的信息:' & server.HTMLEncode(request.Form(items)) & '<br>含非法字符:' & nothis(i))
response.write('</div>')
response.write('对不起,你所填写的信息含非法字符!<a href=''#'' οnclick=''history.back()''>返回</a>')
response.End()
end if
next
next
end function
''==========================
''过滤查询中的SQL
''==========================
function ForSqlInjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.ServerVariables('QUERY_STRING')
nothis(0)='net user'
nothis(1)='xp_cmdshell'
nothis(2)='/add'
nothis(3)='exec%20master.dbo.xp_cmdshell'
nothis(4)='net localgroup administrators'
nothis(5)='select'
nothis(6)='count'
nothis(7)='asc'
nothis(8)='char'
nothis(9)='mid'
nothis(10)=''''
nothis(11)=':'
nothis(12)=''''
nothis(13)='insert'
nothis(14)='delete'
nothis(15)='drop'
nothis(16)='truncate'
nothis(17)='from'
nothis(18)='%'
nothis(19)='@'
errc=false
for i= 0 to ubound(nothis)
if instr(FQYs,nothis(i))<>0 then
errc=true
end if
next
if errc then
response.write '查询信息含非法字符!<a href=''#'' οnclick=''history.back()''>返回</a>'
response.end
end if
end function