<%
'----------------------------------------------------------------------
'转发时请保留此声明信息,这段声明不并会影响你的速度!
'******************* 尘封防SQL注入 V1.0 ********************************
'作者:尘封 QQ:275171
'电子邮件:275171@qq.com
'网站:http://www.1715.cn http://www.77do.com
'QQ群:13683242(ASP爱好者群)
'此程序测试地址:http://www.77do.com/sql/index.asp
'声明:在做此防SQL之前,我个人都是使用网上那些的防SQL注入,因为那些防SQL有个共同点,就是屏蔽某一SQL语句需要的关键字,前些时间我接了一个国外的程序外包,因此程序的使用者都是些国外用户,如果使用网上那些SQL注入的话,屏蔽:'|select|update|chr|char等等 字符或单词,给国外用户带了非常大的不便,如 I'm等就无法输入。因此开发了此防SQL注入。可能程序还不够完善,希望大家多提提意见,一起来完善此程序。
'使用说明:在数据库连接页(如:conn.asp)或你要防注入的页头内包含此文件即可。<!--@include file="CF_Sql.asp"-->(将@改为#)
Dim CFSql_i,CFSql_Sqlchr,CFSql_ChrContent
CFSql_Sqlchr = "select*|and'|or'|insertinto|deletefrom|altertable|update|createtable|createview|dropview|createindex|dropindex|createprocedure|dropprocedure|createtrigger|droptrigger|createschema|dropschema|createdomain|alterdomain|dropdomain|);|select@|declare@|print@|char(|select"
CFSql_Sqlchrs = split(CFSql_Sqlchr,"|")
'======================================================
'Post方式处理
'======================================================
If Request.Form<>"" Then
For Each CFSql_ChrContent In Request.Form
For CFSql_i=0 to Ubound(CFSql_Sqlchrs)
Select Case CFSql_Sqlchrs(CFSql_i)
Case "select"'为避免select的多表关联查询
If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"select")>0 and Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"from")>0 Then
Call CFSql_PromptTitle()
End IF
Case "update"'update作额外处理,因update..set..
If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"update")>0 and Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"set")>0 Then
Call CFSql_PromptTitle()
End IF
Case Else
If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),CFSql_Sqlchrs(CFSql_i))>0 Then
Call CFSql_PromptTitle()
End IF
End Select
Next
Next
End IF
'======================================================
'Get方式处理
'======================================================
If Request.QueryString<>"" Then
For Each CFSql_ChrContent In Request.QueryString
For CFSql_i=0 to Ubound(CFSql_Sqlchrs)
Select Case CFSql_Sqlchrs(CFSql_i)
Case "select"'为避免select的多表关联查询
If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"select")>0 and Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"from")>0 Then
Call CFSql_PromptTitle()
End IF
Case "update"'update作额外处理,因update..set..
If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"update")>0 and Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"set")>0 Then
Call CFSql_PromptTitle()
End IF
Case Else
If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),CFSql_Sqlchrs(CFSql_i))>0 Then
Call CFSql_PromptTitle()
End IF
End Select
Next
Next
End IF
Sub CFSql_PromptTitle()
Response.Write "<Script Language=JavaScript>alert('SQL通用防注入系统提示你↓/n/n请不要在参数中包含非法字符尝试注入!/n/nhttp://www.1715.cn/n/http://www.77do.com /n/n系统版本:V1.0(ASP)版 By:尘封');</Script>"
response.Write "<script LANGUAGE='javascript'>history.go(-1);</script>"
response.End()'提示就结束输出
End Sub%>
另存为:CF_Sql.asp文件就可以了