这个函数还是比较全面的,先判断字符串,再过滤特殊字符 不过我认为防御最好的办法就是用数字传入再转换类型
function
sqlcheck(Str)
if
Instr
(
LCase
(Str),
"
select
"
)
>
0
or
Instr
(
LCase
(Str),
"
insert
"
)
>
0
or
Instr
(
LCase
(Str),
"
delete
"
)
>
0
or
Instr
(
LCase
(Str),
"
delete from
"
)
>
0
or
Instr
(
LCase
(Str),
"
count(
"
)
>
0
or
Instr
(
LCase
(Str),
"
drop table
"
)
>
0
or
Instr
(
LCase
(Str),
"
update
"
)
>
0
or
Instr
(
LCase
(Str),
"
truncate
"
)
>
0
or
Instr
(
LCase
(Str),
"
asc(
"
)
>
0
or
Instr
(
LCase
(Str),
"
mid(
"
)
>
0
or
Instr
(
LCase
(Str),
"
char(
"
)
>
0
or
Instr
(
LCase
(Str),
"
xp_cmdshell
"
)
>
0
or
Instr
(
LCase
(Str),
"
exec master
"
)
>
0
or
Instr
(
LCase
(Str),
"
net localgroup administrators
"
)
>
0
or
Instr
(
LCase
(Str),
"
and
"
)
>
0
or
Instr
(
LCase
(Str),
"
net user
"
)
>
0
or
Instr
(
LCase
(Str),
"
or
"
)
>
0
then
Call
Qcdn.Err_List(
"
请不要在参数中包含非法字符尝试注入!
"
,
1
) Response.End
exit
function
end
if
Str
=
Replace
(Str,
"
_
"
,
""
)
'
过滤SQL注入_
Str
=
Replace
(Str,
"
*
"
,
""
)
'
过滤SQL注入*
Str
=
Replace
(Str,
"
"
,
""
)
'
过滤SQL注入空格
Str
=
Replace
(Str,
chr
(
34
),
""
)
'
过滤SQL注入"
Str
=
Replace
(Str,
chr
(
39
),
""
)
'
过滤SQL注入'
Str
=
Replace
(Str,
chr
(
91
),
""
)
'
过滤SQL注入[
Str
=
Replace
(Str,
chr
(
93
),
""
)
'
过滤SQL注入]
Str
=
Replace
(Str,
chr
(
37
),
""
)
'
过滤SQL注入%
Str
=
Replace
(Str,
chr
(
58
),
""
)
'
过滤SQL注入:
Str
=
Replace
(Str,
chr
(
59
),
""
)
'
过滤SQL注入;
Str
=
Replace
(Str,
chr
(
43
),
""
)
'
过滤SQL注入+
Str
=
Replace
(Str,
"
{
"
,
""
)
'
过滤SQL注入{
Str
=
Replace
(Str,
"
}
"
,
""
)
'
过滤SQL注入}
sqlcheck
=
Str
'
返回经过上面字符替换后的Str
end function