<%
'为了系统的安全,直接在有数据库连接的地方都加上SQL注入的免疫
'自定义需要过滤的字串,用 "|" 分隔
Fy_In = "'| ; | exec | insert | select | delete | update | count | % |chr(| char(| master | truncate | declare "
'----------------------------------
Fy_Inf = split(Fy_In,"|")
If Request.QueryString()<>"" Then
For Each Fy_Get In Request.QueryString()
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),trim(Fy_Inf(Fy_Xh)))<>0 Then
'--------写入数据库----------头-----
conn.Execute("insert into job_errlog(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
'--------写入数据库----------尾-----
End If
Next
Next
End If
dim sql_injdata,sql_inj,sql_get,sql_data
SQL_injdata = "'"
SQL_inj = split(SQL_Injdata,"|")
'防止Get方法注入
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('请不要在参数中包含非法字符尝试注入');history.back(-1)</Script>"
Response.end
end if
next
Next
End If
'防止Post方法注入
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('请不要在参数中包含非法字符尝试注入!');history.back(-1)</Script>"
Response.end
end if
next
next
end if
%>