|
1.用lcase防范大写的sql注入代码
2,分别防范来自Request.QueryString,Request.Form,Request.cookies三个方面的危险
3。直接将代码拷进数据库链接文件,例如asp语言的可以添加到conn文件中。
防范代码如下:(希望更多高手提出意见)
SQL_injdata = "'|exec|insert|select|delete|update|count|iframe|script|chr|mid|master|truncate|char|declare|*|%|and"
SQL_inj = split(SQL_Injdata,"|")
'QueryString请求的注入的拦截
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
Response.write "您提交的内容含有非法字符"
Response.end
end if
next
Next
End If
'Get请求的注入的拦截
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
Response.write "您提交的内容含有非法字符"
Response.end
end if
next
next
end if
'cookies请求的注入的拦截
If Request.cookies<>"" Then
For Each Sql_Post1 In Request.cookies
For SQL_Data=0 To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post1)),Sql_Inj(Sql_DATA))>0 Then
Response.write "您提交的内容含有非法字符"
Response.end
end if
next
next
end if
Archiver|手机版|科学网 ( 京ICP备07017567号-12 )
GMT+8, 2024-10-19 22:28
Powered by ScienceNet.cn
Copyright © 2007- 中国科学报社