本文介绍了一种在ASP中防止SQL注入的方法,通过定义函数SafeRequest来验证输入参数的类型,并提供了一段代码用于检查HTTP请求中的潜在危险字符串,确保应用安全。
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "参数" & ParaName & "必须为数字型!"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "参数" & ParaName & "必须为数字型!"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")
*********************************************************************************************************
-------------------------------------------------------------------------------------------------------------------------------------------
*********************************************************************************************************
<%
dim sql_injdata
sql_injdata="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_injHint=replace(sql_injdata,"|"," ")
sql_injHint=replace(sql_injHint,"'","'")
sql_inj=split(sql_injdata,"|")
if request.querystring<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
hint="alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@');"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
if request.form<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.form(getData)),sql_inj(i))>0 then
hint="alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@');"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
%>
dim sql_injdata
sql_injdata="'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_injHint=replace(sql_injdata,"|"," ")
sql_injHint=replace(sql_injHint,"'","'")
sql_inj=split(sql_injdata,"|")
if request.querystring<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
hint="alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@');"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
if request.form<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.form(getData)),sql_inj(i))>0 then
hint="alert('为了保证用户的信息安全,请不要使用非法注入字符。如下字符为非法的: @sql_injHint@');"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
%>
扫一扫
808
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
