|
#2
yms1232009-08-15 17:13
|
以前没有加入防注入的代码,被别人注入了,
但后来加了代码,并把注入代码都删除了,
今天打开网站 后又发现了被人挂马了,
请问怎么才能安全的防止注入
以下 是我加的 防注入代码,代码是加在CONN.ASP文件中的
<%
'检测SQL注入,发现注入语法,直接报非法输入,并退出
'检测非字符
'SQL_injdata = "'|exec |insert |select |update |delete |set |xp_cmdshell |exec master|xp_dirtree |exec master |char |net localgroup administrators | and |net user | or |mid( |asc( |truncate |cast|declare|exec|varchar"
SQL_injdata = "'|exec |insert |select |update |delete |set |xp_cmdshell |exec master|xp_dirtree |exec master |char |net localgroup administrators | and |net user | or |mid( |asc( |truncate |declare|exec|varchar"
SQL_inj = split(SQL_Injdata,"|")
'检测GET
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法"
Response.end
end if
next
Next
End If
'检测POST
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法"
Response.end
end if
next
next
end if
'检测cookie
If Request.Cookies<>"" Then
For Each Sql_Cookie In Request.Cookies
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Cookies(Sql_Cookie)),Sql_Inj(Sql_DATA))>0 Then
response.write "输入非法"
Response.end
end if
next
next
end if
%>