Function
SafeRequest(ParaName,ParaType)
' --- 传入参数 ---
' ParaName:参数名称-字符型
' ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue = Request(ParaName)
If ParaType = 1 then
If not isNumeric (ParaValue) then
Response.write " 参数 " & ParaName & " 必须为数字型! "
Response.end
End if
Else
ParaValue = replace (ParaValue, " ' " , " '' " )
End if
SafeRequest = ParaValue
End function
' --- 传入参数 ---
' ParaName:参数名称-字符型
' ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue = Request(ParaName)
If ParaType = 1 then
If not isNumeric (ParaValue) then
Response.write " 参数 " & ParaName & " 必须为数字型! "
Response.end
End if
Else
ParaValue = replace (ParaValue, " ' " , " '' " )
End if
SafeRequest = ParaValue
End function
用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")
*********************************************************************************************************
-------------------------------------------------------------------------------------------------------------------------------------------
*********************************************************************************************************
<%
dim sql_injdata
sql_injdata = " '|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare "
sql_injHint = replace (sql_injdata, " | " , " " )
sql_injHint = replace (sql_injHint, " ' " , " ' " )
sql_inj = split (sql_injdata, " | " )
if request.querystring <> "" then
for each getData in request.querystring
for i = 0 to ubound (sql_inj)
if instr ( lcase (request.querystring(getData)),sql_inj(i)) > 0 then
hint = " alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@'); "
hint = replace (hint, " @sql_injHint@ " ,sql_injHint)
response.write " <script language=javascript> "
response.write hint
response.write " history.back() "
response.write " </script> "
response.end
end if
next
next
end if
if request.form <> "" then
for each getData in request.querystring
for i = 0 to ubound (sql_inj)
if instr ( lcase (request.form(getData)),sql_inj(i)) > 0 then
hint = " alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@'); "
hint = replace (hint, " @sql_injHint@ " ,sql_injHint)
response.write " <script language=javascript> "
response.write hint
response.write " history.back() "
response.write " </script> "
response.end
end if
next
next
end if
%>
dim sql_injdata
sql_injdata = " '|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare "
sql_injHint = replace (sql_injdata, " | " , " " )
sql_injHint = replace (sql_injHint, " ' " , " ' " )
sql_inj = split (sql_injdata, " | " )
if request.querystring <> "" then
for each getData in request.querystring
for i = 0 to ubound (sql_inj)
if instr ( lcase (request.querystring(getData)),sql_inj(i)) > 0 then
hint = " alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@'); "
hint = replace (hint, " @sql_injHint@ " ,sql_injHint)
response.write " <script language=javascript> "
response.write hint
response.write " history.back() "
response.write " </script> "
response.end
end if
next
next
end if
if request.form <> "" then
for each getData in request.querystring
for i = 0 to ubound (sql_inj)
if instr ( lcase (request.form(getData)),sql_inj(i)) > 0 then
hint = " alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@'); "
hint = replace (hint, " @sql_injHint@ " ,sql_injHint)
response.write " <script language=javascript> "
response.write hint
response.write " history.back() "
response.write " </script> "
response.end
end if
next
next
end if
%>