ASP程序如何防范SQL注入

海外服务器 (467) 2015-10-31 13:32:40

以下是引用片段:

 

1.Function SafeRequest(ParaName)   
2.Dim ParaValue   
3.ParaValue=Request(ParaName)   
4.if IsNumeric(ParaValue) = True then   
5.SafeRequest=ParaValue   
6.exit Function   
7.elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") 
> 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") 
> 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") 
> 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 
or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or 
Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") 
> 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") 
> 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then   
8.Response.Write "<script language='javascript'>"   
9.Response.Write "alert('非法的请求!');" ' 

 

发现SQL注入攻击提示信息:

 

Response.Write "location.href='http://dev.yesky.com/';" '发现SQL注入攻击转跳网址
1.Response.Write "<script>"   
2.Response.end   
3.else   
4.SafeRequest=ParaValue   
5.End If   
6.End function  

 

使用SafeRequest函数。

THE END