当前位置:首页 > 网站 > 正文内容

asp防sql注入代码

蓝飞鱼6个月前 (11-23)网站228
'Asp防注入代码 
Dim SQL_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata =lcase(":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'")
SQL_injdata =SQL_injdata&lcase("|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|script")
SQL_inj = split(SQL_Injdata,"|")
if Request.QueryString<>"" then
    For Each SQL_Get In Request.QueryString
        For SQL_Data=0 To Ubound(SQL_inj)
            if not IsNumeric(Request.QueryString(SQL_Get)) then
                if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
                    Response.Write "对不起,非法URL地址请求!!"
                    Response.end
                end if
            end if
        next
    next
end if
if Request.Form<>"" then
    For Each Sql_Post In Request.Form
        For SQL_Data=0 To Ubound(SQL_inj)
            if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
                Response.Write "对不起,非法数据提交!"
                Response.end
            end if
        next
    next
end if
'if Request.Cookies<>"" then
'    For Each Sql_Post In Request.Cookies
'        For SQL_Data=0 To Ubound(SQL_inj)
'            if instr(lcase(Request.Cookies(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
'                Response.Write "对不起,非法URL地址请求!"
'                Response.end
'            end if
'        next
'    next
'end if
'post过滤sql注入代防范及HTML防护开始
function nosql(str)
    if not isnull(str) then
        str=trim(str)
        str=replace(str,";","&#59;") '分号
        str=replace(str,"'","&#39;") '单引号
        str=replace(str,"""","&quot;") '双引号
        str=replace(str,"chr(9)","&nbsp;") '空格
        str=replace(str,"chr(10)","<br>") '回车
        str=replace(str,"chr(13)","<br>") '回车
        str=replace(str,"chr(32)","&nbsp;") '空格
        str=replace(str,"chr(34)","&quot;") '双引号
        str=replace(str,"chr(39)","&#39;") '单引号
        str=Replace(str, "script", "&#115cript")'jscript
        str=replace(str,"<","&lt;") '左<
        str=replace(str,">","&gt;") '右>
        str=replace(str,"(","&#40;") '左(
        str=replace(str,")","&#41;") '右)
        str=replace(str,"--","&#45;&#45;") 'SQL注释符
        str=replace(str,"net user","")
        str=replace(str,"xp_cmdshell","")
        str=replace(str,"/add","")
        str=replace(str,"exec%20master.dbo.xp_cmdshell","")
        str=replace(str,"net localgroup administrators","")
        str=replace(str,"select","")
        str=replace(str,"count","")
        str=replace(str,"asc","")
        str=replace(str,"char","")
        str=replace(str,"mid","")
        str=replace(str,":","")
        str=replace(str,"insert","")
        str=replace(str,"delete","")
        str=replace(str,"drop","")
        str=replace(str,"truncate","")
        str=replace(str,"from","")
        str=replace(str,"%","")
        nosql=str
    end if
end function

最近在用老掉牙的asp做点东东,找到一个好用的防注入代码,收藏一下。

扫描二维码推送至手机访问。

版权声明:本文由飞鱼时空发布,如需转载请注明出处。

本文链接:http://zwza.cn/post/2224.html

分享给朋友:

“asp防sql注入代码” 的相关文章