ASP有一个最省力的做法.供参考
一般asp的数据库连接是单独一个文件,在这个文件里加上过滤所有来自Form和Querystring的数据
<%
If CheckAllQueryString=1 Or CheckAllForm=1 Then
Call CheckError()
End If
Sub OpenDB( objDB )
objDB.open Application("strConnString")
End Sub
'检查所有的QueryString是否包含危险代码
Function CheckAllQueryString()
Dim N
Dim R
Dim Code
Code = 0
For Each N In Request.QueryString
R = Request.QueryString(N)
If R<>"" Then
R = LCase(R)
If Instr(1,R,"update")>0 Then Code =1
If Instr(1,R,"delete")>0 Then Code =1
If Instr(1,R,"select")>0 Then Code =1
If Instr(1,R," or ")>0 And Instr(1,R,"=")>0 And Instr(1,R,";")>0 Then Code =1
If Instr(1,R," t_")>0 Then Code =1
End If
Next
CheckAllQueryString = Code
End Function
'检查所有的QueryString是否包含危险代码
Function CheckAllForm()
Dim N
Dim R
Dim Code
Code = 0
For Each N In Request.Form
R = Request.Form(N)
If R<>"" Then
R = LCase(R)
If Instr(1,R,"update")>0 Then Code =1
If Instr(1,R,"delete")>0 Then Code =1
If Instr(1,R,"select")>0 Then Code =1
If Instr(1,R," or ")>0 And Instr(1,R,"=")>0 And Instr(1,R,";")>0 Then Code =1
If Instr(1,R," t_")>0 Then Code =1
End If
Next
CheckAllForm = Code
End Function
Sub CheckError()
Response.Write "页面访问错误,请与管理员取得联系!"
Dim CheckObjDB
Dim CheckObjRS
Set CheckObjDB = Server.CreateObject("Adodb.Connection")
Set CheckObjRS = Server.CreateObject("Adodb.RecordSet")
OpendB CheckObjDB
CheckObjRS.Open "Select Top 1 * From t_ErrPage",CheckObjDB,2,2
CheckObjRS.AddNew
CheckObjRS("AccountID") = Session("AccountID")
CheckObjRS("ErrPage") = Request.ServerVariables("URL")
CheckObjRS("Request") = Request.ServerVariables("QUERY_STRING")
CheckObjRS("IP") = Request.ServerVariables("REMOTE_ADDR")
CheckObjRS.Update
CheckObjRS.Close()
Set CheckObjRS = Nothing
CheckObjDB.Close()
Set CheckObjDB = Nothing
Response.End
End Sub
ASP防止SQL注入的问题
最新推荐文章于 2023-04-27 15:11:17 发布