建立一个名称为“SqlIn”的access数据库。
在数据库中建立一个名称为“SqlIn”的表,表结构如下
SqlIn_ID(自动编号)
SqlIn_IP(注入ip记录)
SqlIn_WEB(注入的web)
SqlIn_TIME(注入时间)
SqlIn_FS(数据传送方式)
SqlIn_CS(提交内容)
SqlIn_SJ(注入字符)
建立一个名为SqlIn.asp的网页,在其他asp网页中引用该网页就可以达到防止sql注入。
将下面语句放在最开始
<!--#include file="相对路径/sqlin.asp"-->
<% '--------定义部份------------------
Dim wy_conn,wy_connstr,wy_in,wy_inf,wy_Post,wy_xh,wy_Get
'自定义需要过滤的字串,用 "@" 分隔
wy_in = "'@*@declare"'@and@exec@insert@select@delete@update@count@*@chr@mid@master@truncate@char@declare
wy_inf = split(wy_in,"@")
'--------POST部份------------------
wy_connstr="Data Source="&server.MapPath("/sqlin/sqlin.mdb")&";Provider=Microsoft.Jet.OLEDB.4.0;"
set wy_conn=server.CreateObject("adodb.connection")
wy_conn.open wy_connstr
If Request.Form<>"" Then
For Each wy_Post In Request.Form
For wy_xh=0 To Ubound(wy_inf)
If Instr(LCase(Request.Form(wy_Post)),wy_inf(wy_xh))<>0 Then
wy_conn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&wy_Post&"','"&replace(Request.Form(wy_Post),"'","''")&"')")
response.Write(" 参数中包含非法字符<br>" & _
"操作IP:" & Request.ServerVariables("REMOTE_ADDR")& "<br>" & _
"操作时间:" & Now& "<br> "& _
"操作页面:" &Request.ServerVariables("URL")& "<br> "& _
"提交方式:POST<br>"& _
"提交参数:" &wy_Post & "<br>"& _
"提交数据:" &Request.Form(wy_Post)& "<br>"& _
"<a href=""javascript:history.go(-1)"">返回</a>")
wy_conn.close
Set wy_conn = Nothing
response.End()
End If
Next
Next
End If
'---------GET部分-------------
If Request.QueryString<>"" Then
For Each wy_Get In Request.QueryString
For wy_xh=0 To Ubound(wy_inf)
If Instr(LCase(Request.QueryString(wy_Get)),wy_Inf(wy_xh))<>0 Then
wy_conn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&wy_Get&"','"&replace(Request.QueryString(wy_Get),"'","''")&"')")
response.Write(" 参数中包含非法字符<br>" & _
"操作IP:" & Request.ServerVariables("REMOTE_ADDR")& "<br>" & _
"操作时间:" & Now& "<br> "& _
"操作页面:" &Request.ServerVariables("URL")& "<br> "& _
"提交方式:GET<br>"& _
"提交参数:" &wy_Get & "<br>"& _
"提交数据:" &Request.Form(wy_Get)& "<br>"& _
"<a href=""javascript:history.go(-1)"">返回</a>")
wy_conn.close
Set wy_conn = Nothing
response.End()
End If
Next
Next
End If
wy_conn.close
Set wy_conn = Nothing
%>