|
#2
coretear2012-06-06 09:34
Function CheckSql() '防止SQL注入
Dim HT_SQL_Injdata HT_SQL_Injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" SQL_inj = split(HT_SQL_Injdata,"|") If Request.QueryString<>"" Then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response.Write "<Script Language='javascript'>{alert('请不要在参数中包含非法字符!');history.back(-1)}</Script>" Response.end end if next Next End If If Request.Form<>"" Then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response.Write "<Script Language='javascript'>{alert('请不要在参数中包含非法字符!');history.back(-1)} </Script>" Response.end end if next next end if End Function Function CheckStr(byVal ChkStr) '检查无效字符 Dim Str:Str=ChkStr Str=Trim(Str) If IsNull(Str) Then CheckStr = "" Exit Function End If Dim re Set re=new RegExp re.IgnoreCase =True re.Global=True re.Pattern="(\r\n){3,}" Str=re.Replace(Str,"$1$1$1") Set re=Nothing Str = Replace(Str,"'","''") Str = Replace(Str, "select", "select") Str = Replace(Str, "join", "join") Str = Replace(Str, "union", "union") Str = Replace(Str, "where", "where") Str = Replace(Str, "insert", "insert") Str = Replace(Str, "delete", "delete") Str = Replace(Str, "update", "update") Str = Replace(Str, "like", "like") Str = Replace(Str, "drop", "drop") Str = Replace(Str, "create", "create") Str = Replace(Str, "modify", "modify") Str = Replace(Str, "rename", "rename") Str = Replace(Str, "alter", "alter") Str = Replace(Str, "cast", "cast") CheckStr=Str End Function Function UnCheckStr(Str) '检查非法sql命令 Str = Replace(Str, "select", "select") Str = Replace(Str, "join", "join") Str = Replace(Str, "union", "union") Str = Replace(Str, "where", "where") Str = Replace(Str, "insert", "insert") Str = Replace(Str, "delete", "delete") Str = Replace(Str, "update", "update") Str = Replace(Str, "like", "like") Str = Replace(Str, "drop", "drop") Str = Replace(Str, "create", "create") Str = Replace(Str, "modify", "modify") Str = Replace(Str, "rename", "rename") Str = Replace(Str, "alter", "alter") Str = Replace(Str, "cast", "cast") UnCheckStr=Str End Function Function Checkstr(Str) 'SQL防注入过滤涵数 If Isnull(Str) Then CheckStr = "" Exit Function End If Str = Replace(Str,Chr(0),"", 1, -1, 1) Str = Replace(Str, """", """", 1, -1, 1) Str = Replace(Str,"<","<", 1, -1, 1) Str = Replace(Str,">",">", 1, -1, 1) Str = Replace(Str, "script", "script", 1, -1, 0) Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0) Str = Replace(Str, "Script", "Script", 1, -1, 0) Str = Replace(Str, "script", "Script", 1, -1, 1) Str = Replace(Str, "object", "object", 1, -1, 0) Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0) Str = Replace(Str, "Object", "Object", 1, -1, 0) Str = Replace(Str, "object", "Object", 1, -1, 1) Str = Replace(Str, "applet", "applet", 1, -1, 0) Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0) Str = Replace(Str, "Applet", "Applet", 1, -1, 0) Str = Replace(Str, "applet", "Applet", 1, -1, 1) Str = Replace(Str, "[", "[") Str = Replace(Str, "]", "]") Str = Replace(Str, """", "", 1, -1, 1) Str = Replace(Str, "=", "=", 1, -1, 1) Str = Replace(Str, "'", "''", 1, -1, 1) Str = Replace(Str, "select", "select", 1, -1, 1) Str = Replace(Str, "execute", "execute", 1, -1, 1) Str = Replace(Str, "exec", "exec", 1, -1, 1) Str = Replace(Str, "join", "join", 1, -1, 1) Str = Replace(Str, "union", "union", 1, -1, 1) Str = Replace(Str, "where", "where", 1, -1, 1) Str = Replace(Str, "insert", "insert", 1, -1, 1) Str = Replace(Str, "delete", "delete", 1, -1, 1) Str = Replace(Str, "update", "update", 1, -1, 1) Str = Replace(Str, "like", "like", 1, -1, 1) Str = Replace(Str, "drop", "drop", 1, -1, 1) Str = Replace(Str, "create", "create", 1, -1, 1) Str = Replace(Str, "rename", "rename", 1, -1, 1) Str = Replace(Str, "count", "count", 1, -1, 1) Str = Replace(Str, "chr", "chr", 1, -1, 1) Str = Replace(Str, "mid", "mid", 1, -1, 1) Str = Replace(Str, "truncate", "truncate", 1, -1, 1) Str = Replace(Str, "nchar", "nchar", 1, -1, 1) Str = Replace(Str, "char", "char", 1, -1, 1) Str = Replace(Str, "alter", "alter", 1, -1, 1) Str = Replace(Str, "cast", "cast", 1, -1, 1) Str = Replace(Str, "exists", "exists", 1, -1, 1) Str = Replace(Str,Chr(13),"<br>", 1, -1, 1) CheckStr = Replace(Str,"'","''", 1, -1, 1) End Function Function HTMLEncode(reString) '过滤转换HTML代码 Dim Str:Str=reString If Not IsNull(Str) Then Str = UnCheckStr(Str) Str = Replace(Str, "&", "&") Str = Replace(Str, ">", ">") Str = Replace(Str, "<", "<") Str = Replace(Str, CHR(32), " ") Str = Replace(Str, CHR(9), " ") Str = Replace(Str, CHR(9), " ") Str = Replace(Str, CHR(34),"") Str = Replace(Str, CHR(39),"'") Str = Replace(Str, CHR(13), "") Str = Replace(Str, CHR(10), "<br>") HTMLEncode = Str End If End Function [ 本帖最后由 coretear 于 2012-6-6 09:40 编辑 ] |
谁有?请传个谢谢
42411211