ASP 防SQL注入过滤代码问题??
functioncheckstr(str)ifisnull(str)thencheckstr=""exitfunctionendifstr=replace(str,chr...
function checkstr(str)
if isnull(str) then
checkstr = ""
exit function
end if
str = replace(str,chr(0),"", 1, -1, 1)
str = replace(str, """", """, 1, -1, 1)
str = replace(str,"<;","<;", 1, -1, 1)
str = replace(str,">;",">;", 1, -1, 1)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 1)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 1)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 1)
str = replace(str, "[", "[")
str = replace(str, "]", "]")
str = replace(str, """", "", 1, -1, 1)
str = replace(str, "=", "=", 1, -1, 1)
str = replace(str, "’", "’’", 1, -1, 1)
str = replace(str, "select", "select", 1, -1, 1)
str = replace(str, "execute", "execute", 1, -1, 1)
str = replace(str, "exec", "exec", 1, -1, 1)
str = replace(str, "join", "join", 1, -1, 1)
str = replace(str, "union", "union", 1, -1, 1)
str = replace(str, "where", "where", 1, -1, 1)
str = replace(str, "insert", "insert", 1, -1, 1)
str = replace(str, "delete", "delete", 1, -1, 1)
str = replace(str, "update", "update", 1, -1, 1)
str = replace(str, "like", "like", 1, -1, 1)
str = replace(str, "drop", "drop", 1, -1, 1)
str = replace(str, "create", "create", 1, -1, 1)
str = replace(str, "rename", "rename", 1, -1, 1)
str = replace(str, "count", "count", 1, -1, 1)
str = replace(str, "chr", "chr", 1, -1, 1)
str = replace(str, "mid", "mid", 1, -1, 1)
str = replace(str, "truncate", "truncate", 1, -1, 1)
str = replace(str, "nchar", "nchar", 1, -1, 1)
str = replace(str, "char", "char", 1, -1, 1)
str = replace(str, "alter", "alter", 1, -1, 1)
str = replace(str, "cast", "cast", 1, -1, 1)
str = replace(str, "exists", "exists", 1, -1, 1)
str = replace(str,chr(13),"<;br>;", 1, -1, 1)
checkstr = replace(str,"’","’’", 1, -1, 1)
end function
这代码可以防止SQL注入吗? 怎么用呢?
具体用在哪地方??听说很多ASP 网站被黑
如何才能防止?
祥细点吧 展开
if isnull(str) then
checkstr = ""
exit function
end if
str = replace(str,chr(0),"", 1, -1, 1)
str = replace(str, """", """, 1, -1, 1)
str = replace(str,"<;","<;", 1, -1, 1)
str = replace(str,">;",">;", 1, -1, 1)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 0)
str = replace(str, "script", "script", 1, -1, 1)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 0)
str = replace(str, "object", "object", 1, -1, 1)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 0)
str = replace(str, "applet", "applet", 1, -1, 1)
str = replace(str, "[", "[")
str = replace(str, "]", "]")
str = replace(str, """", "", 1, -1, 1)
str = replace(str, "=", "=", 1, -1, 1)
str = replace(str, "’", "’’", 1, -1, 1)
str = replace(str, "select", "select", 1, -1, 1)
str = replace(str, "execute", "execute", 1, -1, 1)
str = replace(str, "exec", "exec", 1, -1, 1)
str = replace(str, "join", "join", 1, -1, 1)
str = replace(str, "union", "union", 1, -1, 1)
str = replace(str, "where", "where", 1, -1, 1)
str = replace(str, "insert", "insert", 1, -1, 1)
str = replace(str, "delete", "delete", 1, -1, 1)
str = replace(str, "update", "update", 1, -1, 1)
str = replace(str, "like", "like", 1, -1, 1)
str = replace(str, "drop", "drop", 1, -1, 1)
str = replace(str, "create", "create", 1, -1, 1)
str = replace(str, "rename", "rename", 1, -1, 1)
str = replace(str, "count", "count", 1, -1, 1)
str = replace(str, "chr", "chr", 1, -1, 1)
str = replace(str, "mid", "mid", 1, -1, 1)
str = replace(str, "truncate", "truncate", 1, -1, 1)
str = replace(str, "nchar", "nchar", 1, -1, 1)
str = replace(str, "char", "char", 1, -1, 1)
str = replace(str, "alter", "alter", 1, -1, 1)
str = replace(str, "cast", "cast", 1, -1, 1)
str = replace(str, "exists", "exists", 1, -1, 1)
str = replace(str,chr(13),"<;br>;", 1, -1, 1)
checkstr = replace(str,"’","’’", 1, -1, 1)
end function
这代码可以防止SQL注入吗? 怎么用呢?
具体用在哪地方??听说很多ASP 网站被黑
如何才能防止?
祥细点吧 展开
3个回答
展开全部
不用这样,如果你的变量是数字型,那用Clng()转一下,如果是日期类型, CDate()一下,如果是其他类型,把单引号替换了就行:
Function checkStr(ByVal x, ByVal typ)
On Error Rusume Next
'如果你是需要整形变量
If typ = "int" Then
x = Clng(x)
'如果你是需要时间
Else If typ = "date" Then
x = CDate(x)
'其他
Else
x = Replace(x, "'", "''")
End If
If Err.Number <> 0 Then
Response.End()
End If
checkStr = x
End Function
这样就可以了,肯定注入不了
Function checkStr(ByVal x, ByVal typ)
On Error Rusume Next
'如果你是需要整形变量
If typ = "int" Then
x = Clng(x)
'如果你是需要时间
Else If typ = "date" Then
x = CDate(x)
'其他
Else
x = Replace(x, "'", "''")
End If
If Err.Number <> 0 Then
Response.End()
End If
checkStr = x
End Function
这样就可以了,肯定注入不了
本回答由提问者推荐
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
用在能够被接受到参数的地方
主要是
request.form
request.querystring
request.cookie
这三种类型的变量都有可能会被恶意注入
你原来的一些地方写法可能是
aaa=request.querystring("aaa")
用这个函数就要变成
aaa=checkstr(request.querystring("aaa"))
你直接找一个asp防注入通用的吧
直接包含在conn文件里面即可
主要是
request.form
request.querystring
request.cookie
这三种类型的变量都有可能会被恶意注入
你原来的一些地方写法可能是
aaa=request.querystring("aaa")
用这个函数就要变成
aaa=checkstr(request.querystring("aaa"))
你直接找一个asp防注入通用的吧
直接包含在conn文件里面即可
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
更多回答(1)
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询
