该文档能够包含在任何需要调用数据库的ASP文档头部,直接过虑掉非法注入-ASP教程,ASP应用-数据库其他-idc中文资讯站-客观公证的IDC产业权威媒体,关注域名、虚拟主机、服务器、网络、开源技术资讯，整合运营商资源，客观评价各地机房带宽线路质量、IDC企业名录等信息

该文档能够包含在任何需要调用数据库的ASP文档头部,直接过虑掉非法注入-ASP教程,ASP应用

来源：作者：发布时间:2007-12-26 02:05:10

<%该文档能够包含在任何需要调用数据库的asp文档头部,直接过虑掉非法注入
调用方法为:
function safe(str)该函数用来判断传递过来的变量是否包含特别字符,没有返回true
dim s_badstr, n, i
s_badstr = " 　&<>?%,;:()`~!@#$^*{}[]|＼/+-="&chr(34)&chr(9)&chr(32)
n = len(s_badstr)
safe = true
for i = 1 to n
if instr(str, mid(s_badstr, i, 1)) > 0 then
safe = false
exit function
end if
next
end function
以下代码直接判断发生请求的url是否包含非法字符
on error resume next
dim strtemp

if lcase(request.servervariables("https")) = "off" then
strtemp = "http://"
else
strtemp = "https://"
end if
strtemp = strtemp & request.servervariables("server_name")
if request.servervariables("server_port") <> 80 then strtemp = strtemp & ":" & request.servervariables("server_port")
strtemp = strtemp & request.servervariables("url")
if trim(request.querystring) <> "" then strtemp = strtemp & "?" & trim(request.querystring)
strtemp = lcase(strtemp)
if instr(strtemp,"select%20") or instr(strtemp,"insert%20") or instr(strtemp,"delete%20from") or instr(strtemp,"count(") or instr(strtemp,"drop%20table") or instr(strtemp,"update%20") or instr(strtemp,"truncate%20") or instr(strtemp,"asc(") or instr(strtemp,"mid(") or instr(strtemp,"char(") or instr(strtemp,"xp_cmdshell") or instr(strtemp,"exec%20master") or instr(strtemp,"net%20localgroup%20administrators") or instr(strtemp,"db_name(") or instr(strtemp,"net%20user") or instr(strtemp,"") or instr(strtemp,"%20or") or instr(strtemp,"backup%20") then
response.write ""
end if

for each name in request.form
dim s_badstr, s_sz, i
s_badstr = "|and|select|update|chr|delete|from|;|insert|mid|master.|truncate|db_name|xp_cmdshell|exec%20master|net%20localgroup%20administrators|drop|table|db_name(|exec"
s_sz = split(s_badstr,"|")
for i = 0 to ubound(s_sz)
if instr(request.form(name), s_sz(i)) > 0 then
response.write ""
end if
next
next
%>

喜欢本文，那就收藏到：