SQL注入式攻击防范代码
--------------------------------------------------------------------------------
'SQL注入式攻击防范get及ID(not)代码
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
allquery=squery+sURL
if InStr(allquery,"%20")<>0 or InStr(allquery,"%27")<>0 or InStr(allquery,"'")<>0 or InStr(allquery,"%a1a1")<>0 or InStr(allquery,"%24")<>0 or InStr(allquery,"%3b")<>0 or InStr(allquery,";")<>0 or InStr(allquery,":")<>0 or InStr(allquery,"%%")<>0 or InStr(allquery,"%3c")<>0 or InStr(allquery,"--")<>0 or InStr(allquery,"")<>0 or InStr(allquery,"*")<>0 or not(isnumeric(request("id"))) or not(isnumeric(request("page"))) then
Response.write "不法访问"
Response.End
end if
'post过滤sql注入代防范及HTML防护
function nosql(str)
if not isnull(str) then
str=trim(str)
str=replace(str,";",";") '分号
str=replace(str,"'","'") '单引号
str=replace(str,"""",""") '双引号
str=replace(str,"chr(9)"," ") '空格
str=replace(str,"chr(10)","<br>") '回车
str=replace(str,"chr(13)","<br>") '回车
str=replace(str,"chr(32)"," ") '空格
str=replace(str,"chr(34)",""") '双引号
str=replace(str,"chr(39)","'") '单引号
str=Replace(str, "script", "script")'jscript
str=replace(str,"<","<") '左<
str=replace(str,">",">") '右>
str=replace(str,"--","--") 'SQL注释符
nosql=str
end if
end function
'post过滤sql注入代防范及HTML防护开始
function FormatSQL(str)
if isnull(str) then
str = ""
exit function
end if
str=trim(str)
str=replace(str,"&","&") '&
str=replace(str,";",";") '分号
str=replace(str,"'","'") '单引号
str=replace(str,"""",""") '双引号
str=replace(str,"chr(9)"," ") '空格
str=replace(str,"chr(10)","<br>") '回车
str=replace(str,"chr(13)","<br>") '回车
str=replace(str,"chr(32)"," ") '空格
str=replace(str,"chr(34)",""") '双引号
str=replace(str,"chr(39)","'") '单引号
str=Replace(str, "script", "script")'script
str=replace(str,"<","<") '左<
str=replace(str,">",">") '右>
str=replace(str,"(","(") '左(
str=replace(str,")",")") '右)
str=replace(str,"*","*") '*
str=replace(str,"--","--") 'SQL注释符
FormatSQL=str
end function
