ASP+ACCESS防sql注入攻击
<%dimsql_injdataSQL_injdata="'|and|or|exec|insert|select|delete|update|count|*|%|chr|...
<%
dim sql_injdata
SQL_injdata = "'|and|or|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_GET In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
Next
For Each SQL_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
next
%>
调用时,提示这一句出错:
Microsoft VBScript 编译器错误 (0x800A0408)
无效字符
/ip/sqlsplit.asp, line 6
For Each SQL_GET In Request.QueryString
想知道是什么原因 展开
dim sql_injdata
SQL_injdata = "'|and|or|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_GET In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
Next
For Each SQL_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
next
%>
调用时,提示这一句出错:
Microsoft VBScript 编译器错误 (0x800A0408)
无效字符
/ip/sqlsplit.asp, line 6
For Each SQL_GET In Request.QueryString
想知道是什么原因 展开
1个回答
展开全部
我改过了,复制我的粘贴过去吧.错误的地方我用注释标出来了.
<%
dim sql_injdata
SQL_injdata = "'|and|or|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_GET In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
Next
For Each SQL_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" ) '这个地方write后面少了个括号
Response.end
end if
next
next
end if'这个地方少了end if
%>
<%
dim sql_injdata
SQL_injdata = "'|and|or|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_GET In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.end
end if
next
Next
For Each SQL_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" ) '这个地方write后面少了个括号
Response.end
end if
next
next
end if'这个地方少了end if
%>
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询