'*************************=
'過濾提交表單中的sql
'*************************=
function forsqlform()
dim fqys,errc,i,items
dim nothis(18)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
'nothis(19)="@"
errc=false
for i= 0 to ubound(nothis)
for each items in request.form
if instr(request.form(items),nothis(i))<>0 then
response.write("")
response.write("你所填寫的資訊:" & server.htmlencode(request.form(items)) & "
含非法字元:" & nothis(i))
response.write("
")response.write("對不起,你所填寫的資訊含非法字元!返回")
response.end()
end if
next
next
end function
'*************************=
'過濾查詢中的sql
'*************************=
function forsqlinjection()
dim fqys,errc,i
dim nothis(19)
fqys = request.servervariables("query_string")
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
nothis(19)="@"
errc=false
for i= 0 to ubound(nothis)
if instr(fqys,nothis(i))<>0 then
errc=true
end if
next
if errc then
response.write "查詢資訊含非法字元!返回"
response.end
end if
end function
ASP上兩個防止SQL注入式攻擊Function
function forsqlform dim fqys,errc,i,items dim nothis 18 nothis 0 net user nothis 1 xp cmdshell nothis 2 add nothis 3 exec 20master.dbo.xp cmdshell not...
ASP上兩個防止SQL注入式攻擊Function
過濾提交表單中的sql function forsqlform dim fqys,errc,i,items dim nothis 18 nothis 0 net user nothis 1 xp cmdshell nothis 2 add nothis 3 exec 20master.dbo.xp ...
sql注入的兩個小技巧
在xfocus看了一篇文章 update注射 mysql php 的兩個模式http xfocus.net articles 200508 815.html 分析一下他所說的兩個模式 假設有表userinfo 該錶有三個字段 使用者名稱username 使用者密碼pass 使用者許可權groupid...