ASP下的兩個(gè)防止SQL注入式攻擊的Function

更新時(shí)間：2007年10月29日 20:35:29 作者：

用于防止sql注入攻擊的函數(shù)，大家可以直接用了，不過大家光會用不行，要增強(qiáng)安全意識

'========================== 
'過濾提交表單中的SQL 
'========================== 
function ForSqlForm() 
dim fqys,errc,i,items 
dim nothis(18) 
nothis(0)="net user" 
nothis(1)="xp_cmdshell" 
nothis(2)="/add" 
nothis(3)="exec%20master.dbo.xp_cmdshell" 
nothis(4)="net localgroup administrators" 
nothis(5)="select" 
nothis(6)="count" 
nothis(7)="asc" 
nothis(8)="char" 
nothis(9)="mid" 
nothis(10)="'" 
nothis(11)=":" 
nothis(12)="""" 
nothis(13)="insert" 
nothis(14)="delete" 
nothis(15)="drop" 
nothis(16)="truncate" 
nothis(17)="from" 
nothis(18)="%" 
'nothis(19)="@"  
errc=false 
for i= 0 to ubound(nothis) 
  for each items in request.Form 
  if instr(request.Form(items),nothis(i))<>0 then 
   response.write("<div>") 
   response.write("你所填寫的信息:" & server.HTMLEncode(request.Form(items)) & "<br>含非法字符:" & nothis(i)) 
   response.write("</div>") 
   response.write("對不起,你所填寫的信息含非法字符！<a href=""#"" onclick=""history.back()"">返回</a>") 
   response.End() 
  end if 
  next 
next 
end function 
'========================== 
'過濾查詢中的SQL 
'========================== 
function ForSqlInjection() 
dim fqys,errc,i 
dim nothis(19) 
fqys = request.ServerVariables("QUERY_STRING") 
nothis(0)="net user" 
nothis(1)="xp_cmdshell" 
nothis(2)="/add" 
nothis(3)="exec%20master.dbo.xp_cmdshell" 
nothis(4)="net localgroup administrators" 
nothis(5)="select" 
nothis(6)="count" 
nothis(7)="asc" 
nothis(8)="char" 
nothis(9)="mid" 
nothis(10)="'" 
nothis(11)=":" 
nothis(12)="""" 
nothis(13)="insert" 
nothis(14)="delete" 
nothis(15)="drop" 
nothis(16)="truncate" 
nothis(17)="from" 
nothis(18)="%" 
nothis(19)="@"  
errc=false 
for i= 0 to ubound(nothis) 
if instr(FQYs,nothis(i))<>0 then 
errc=true 
end if 
next 
if errc then 
response.write "查詢信息含非法字符！<a href=""#"" onclick=""history.back()"">返回</a>" 
response.end 
end if 
end function