几种过滤URL和FORM中非法字符的方法

ASP

过滤URL和FORM中非法字符

第一种：

< %
' 检查URL输入 限制非法字符
url = LCase (request.querystring())
ip = request.ServerVariables( " REMOTE_ADDR " )
pos1 = instr (url, " % " )
pos2 = instr (url, " ' " )
pos3 = instr (url, " ; " )
pos4 = instr (url, " where " )
pos5 = instr (url, " select " )
pos6 = instr (url, " chr " )
pos7 = instr (url, " / " )
pos8 = Instr (url, " and " )
if  pos1 <> 0   or  pos2 <> 0   or  pos3 <> 0   or  pos4 <> 0   or  pos5 <> 0   or  pos6 <> 0   or  pos7 <> 0   or   pos8 <> 0   then
response.Write  " 你尝试使用危险字符,系统已经对此做了记录如下<Br>您的IP: " & ip & " <br>操作时间: " & date () & ""
response.End()
end   if

' 检查表单输入，限制非法字符
' 使用request.QueryString来索引request的所有资料,作为SQL检查之用
' 如出现非法字符则自动停止输出
for  i_request  =   1   to  request.form.Count
if   instr (request.form(i_request), " ' " ) <> 0   or   instr (request.form(i_request), " ; " ) <> 0   then
Response.Write  " <script language='javascript'>history.back(); alert('你尝试使用危险字符,系统已经对此做了记录如下您的IP: " & ip & " 操作时间: " & date () & " ');</script> "
response.End()
end   if
next

% >

 

第二种：

 

< %
On   Error   Resume   Next

dim  sql_injdata,sql_inj,sql_get,sql_data
SQL_injdata = " '|ox "
SQL_inj  =   split (SQL_Injdata, " | " )
' 定义过滤字符，可以自己添加，以|分隔
' "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
' 对post方式过滤
If  Request.Form <> ""   Then
For   Each  Sql_Post In Request.Form
For  SQL_Data = 0   To   Ubound (SQL_inj)
if   instr (Request.Form(Sql_Post),Sql_Inj(Sql_DATA)) > 0   Then
Response.redirect  " ss "   ' 出错时转向页面
Response.end
end   if
next
next
end   if

' 对GET方式过滤
If  Request.QueryString <> ""   Then
For   Each  SQL_Get In Request.QueryString
For  SQL_Data = 0   To   Ubound (SQL_inj)
if   instr (Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA)) > 0   Then
Response.redirect  " ss "   ' 出错时转向页面
Response.end
end   if
next
Next
End   If

% >

第三种：

 

function  checkstr(str)  ' 过滤非法字符函数
dim  tempstr
if  str = ""   then   exit   function
tempstr = replace (str, chr ( 34 ), "" )  '  "
tempstr = replace (tempstr, chr ( 39 ), "" )  '  '
tempstr = replace (tempstr, chr ( 60 ), "" )  '  <
tempstr = replace (tempstr, chr ( 62 ), "" )  '  >
tempstr = replace (tempstr, chr ( 37 ), "" )  '  %
tempstr = replace (tempstr, chr ( 38 ), "" )  '  &
tempstr = replace (tempstr, chr ( 40 ), "" )  '  (
tempstr = replace (tempstr, chr ( 41 ), "" )  '  )
tempstr = replace (tempstr, chr ( 59 ), "" )  '  ;
tempstr = replace (tempstr, chr ( 43 ), "" )  '  +
tempstr = replace (tempstr, chr ( 45 ), "" )  '  -
tempstr = replace (tempstr, chr ( 91 ), "" )  '  [
tempstr = replace (tempstr, chr ( 93 ), "" )  '  ]
tempstr = replace (tempstr, chr ( 123 ), "" )  '  {
tempstr = replace (tempstr, chr ( 125 ), "" )  '  }
checkstr = tempstr
end function

 第四种：

 

' ================================================
' 函数名：IsValidStr
' 作 用：判断字符串中是否含有非法字符
' 参 数：str ----原字符串
' 返回值：False‚True -----布尔值
' ================================================
Public   Function  IsValidStr(ByVal str)
IsValidStr  =   False
On   Error   Resume   Next
If   IsNull (str)  Then   Exit   Function
If   Trim (str)  =   Empty   Then   Exit   Function
Dim  ForbidStr‚ i
ForbidStr  =   " and|chr|:|=|%|&|$|#|@|+|-|*|/|/|<|>|;|‚|^| "   &   Chr ( 32 )  &   " | "   &   Chr ( 34 )  &   " | "   &   Chr ( 39 )  &   " | "   &   Chr ( 9 )
ForbidStr  =   Split (ForbidStr‚  " | " )
For  i  =   0   To   UBound (ForbidStr)
If   InStr ( 1 ‚str‚ ForbidStr(i)‚ 1 )  >   0   Then
IsValidStr  =   False
Exit   Function
End   If
Next
IsValidStr  =   True
End Function

 

ASP.NET

 

public  boolean checkParameter(String para)  // 过滤非法字符
     ... {
        int flag = 0;
        flag += para.indexOf("'") + 1;
        flag += para.indexOf(";") + 1;
        flag += para.indexOf("1=1") + 1;
        flag += para.indexOf("|") + 1;
        flag += para.indexOf("<") + 1;
        flag += para.indexOf(">") + 1;
        if (flag != 0)
        ...{
            System.out.println("提交了非法字符!!!");
            return false;
        }
        return true;
    }