上一篇
下一篇
通用Sql防注入检测函数
作者:cmscn 日期:2008-05-31
不改变原字符显示!
如select*替换为& # 115;elect*
这样既不损坏数据,也安全!
没有想到的地方请大家指正
<%
Response.Write CheckRequest("str")
' ============================================
' 检测传入变量,防止SQL注入
' ============================================
Function CheckRequest(ByVal strRequest)
Dim ParaValue, aBadUalueb, bBadValue, inBad, strBad
If strRequest = "" Then
CheckRequest = ""
Exit Function
End If
ParaValue = Request(strRequest)
If ParaValue = "" Then
CheckRequest = ""
Exit Function
End If
aBadValue = "net user|net localgroup administrators|xp_cmdshell|/add|exec%20master.dbo.xp_cmdshell|" & Chr(0) & ""
aValueArr = Split(aBadValue, "|")
For a = 0 To UBound(aValueArr)
If InStr(LCase(ParaValue), aValueArr(a)) <> 0 Then
ParaValue = Replace(ParaValue, aValueArr(a), strFToAsc(aValueArr(a)), 1, -1, vbTextCompare)
End If
Next
bBadUalue = "and|exec|insert|select|delete|update|count|chr|mid|master|truncate|char|declare|drop|from|or"
inBad = "(|)|[|]| |*|%20"
bValueArr = Split(bBadUalue, "|")
iBad = Split(inBad, "|")
For b = 0 To UBound(bValueArr)
strBad = bValueArr(b)
For i = 0 To UBound(iBad)
Fstr = strBad & iBad(i)
If InStr(LCase(ParaValue), Fstr) <> 0 Then
ParaValue = Replace(ParaValue, Fstr, strFToAsc(Fstr), 1, -1, vbTextCompare)
End If
Lstr = iBad(i) & strBad
If InStr(LCase(ParaValue), Lstr) <> 0 Then
ParaValue = Replace(ParaValue, Lstr, strFToAsc(Lstr), 1, -1, vbTextCompare)
End If
Next
Next
CheckRequest = ParaValue
End Function
' ============================================
' 首字符转换成Html码
' ============================================
Function strFToAsc(ByVal strValue)
Dim strTemp
strTemp = strValue
If strTemp = "" Then
strFToAsc = ""
Exit Function
End If
strTemp = "&#" & Asc(Left(strTemp, 1)) & ";" & Right(strTemp, Len(strTemp) - 1)
strFToAsc = strTemp
End Function
%>
http://blog.sina.com.cn/s/blog_49daec50010007il.html
文章来自: 
引用通告: 
Tags: 
相关日志:
评论: 0 | 引用: 0 | 查看次数: 506
发表评论
