ASP中过滤SQL命令字符
作者:wang 日期:2009-10-13
function POP_sqlin(text)
if isnull(text) then
POP_sqlin=""
exit function
end if
dim Sqlwords
Set Sqlwords=new RegExp
Sqlwords.IgnoreCase =True
Sqlwords.Global=True
Sqlwords.Pattern="(')"
text=Sqlwords.Replace(text,"''")
Sqlwords.Pattern="(;)"
text=Sqlwords.Replace(text,";")
Sqlwords.Pattern="(%)"
text=Sqlwords.Replace(text,"%")
Sqlwords.Pattern="(and)"
text=Sqlwords.Replace(text,"and")
Sqlwords.Pattern="(exec)"
text=Sqlwords.Replace(text,"exec")
Sqlwords.Pattern="(execute)"
text=Sqlwords.Replace(text,"execute")
Sqlwords.Pattern="(insert)"
text=Sqlwords.Replace(text,"insert")
Sqlwords.Pattern="(select)"
text=Sqlwords.Replace(text,"select")
Sqlwords.Pattern="(delete)"
text=Sqlwords.Replace(text,"delete")
Sqlwords.Pattern="(update)"
text=Sqlwords.Replace(text,"update")
Sqlwords.Pattern="(count)"
text=Sqlwords.Replace(text,"count")
Sqlwords.Pattern="(chr)"
text=Sqlwords.Replace(text,"chr")
Sqlwords.Pattern="(mid)"
text=Sqlwords.Replace(text,"mid")
Sqlwords.Pattern="(master)"
text=Sqlwords.Replace(text,"master")
Sqlwords.Pattern="(truncate)"
text=Sqlwords.Replace(text,"truncate")
Sqlwords.Pattern="(char)"
text=Sqlwords.Replace(text,"char")
Sqlwords.Pattern="(declare)"
text=Sqlwords.Replace(text,"declare")
Set Sqlwords=Nothing
POP_sqlin = text
end function
function POP_sqlout(text)
if isnull(text) then
POP_sqlout=""
exit function
end if
text = Replace(text,"''","'")
text = Replace(text,";",";")
text = Replace(text,"%","%")
text = Replace(text,"and","and")
text = Replace(text,"exec","exec")
text = Replace(text,"execute","execute")
text = Replace(text,"insert","insert")
text = Replace(text,"select","select")
text = Replace(text,"delete","delete")
text = Replace(text,"update","update")
text = Replace(text,"count","count")
text = Replace(text,"chr","chr")
text = Replace(text,"mid","mid")
text = Replace(text,"master","master")
text = Replace(text,"truncate","truncate")
text = Replace(text,"char","char")
text = Replace(text,"declare","declare")
POP_sqlout = text
end function
function HTMLEncode(popstring)
if not isnull(popstring) then
popstring = POP_sqlout(popstring)
popstring = replace(popstring, ">", ">")
popstring = replace(popstring, "<", "<")
popstring = Replace(popstring, CHR(32), " ")
popstring = Replace(popstring, CHR(9), " ")
popstring = Replace(popstring, CHR(34), """)
popstring = Replace(popstring, CHR(39), "'")
popstring = Replace(popstring, CHR(10) & CHR(10), "
if isnull(text) then
POP_sqlin=""
exit function
end if
dim Sqlwords
Set Sqlwords=new RegExp
Sqlwords.IgnoreCase =True
Sqlwords.Global=True
Sqlwords.Pattern="(')"
text=Sqlwords.Replace(text,"''")
Sqlwords.Pattern="(;)"
text=Sqlwords.Replace(text,";")
Sqlwords.Pattern="(%)"
text=Sqlwords.Replace(text,"%")
Sqlwords.Pattern="(and)"
text=Sqlwords.Replace(text,"and")
Sqlwords.Pattern="(exec)"
text=Sqlwords.Replace(text,"exec")
Sqlwords.Pattern="(execute)"
text=Sqlwords.Replace(text,"execute")
Sqlwords.Pattern="(insert)"
text=Sqlwords.Replace(text,"insert")
Sqlwords.Pattern="(select)"
text=Sqlwords.Replace(text,"select")
Sqlwords.Pattern="(delete)"
text=Sqlwords.Replace(text,"delete")
Sqlwords.Pattern="(update)"
text=Sqlwords.Replace(text,"update")
Sqlwords.Pattern="(count)"
text=Sqlwords.Replace(text,"count")
Sqlwords.Pattern="(chr)"
text=Sqlwords.Replace(text,"chr")
Sqlwords.Pattern="(mid)"
text=Sqlwords.Replace(text,"mid")
Sqlwords.Pattern="(master)"
text=Sqlwords.Replace(text,"master")
Sqlwords.Pattern="(truncate)"
text=Sqlwords.Replace(text,"truncate")
Sqlwords.Pattern="(char)"
text=Sqlwords.Replace(text,"char")
Sqlwords.Pattern="(declare)"
text=Sqlwords.Replace(text,"declare")
Set Sqlwords=Nothing
POP_sqlin = text
end function
function POP_sqlout(text)
if isnull(text) then
POP_sqlout=""
exit function
end if
text = Replace(text,"''","'")
text = Replace(text,";",";")
text = Replace(text,"%","%")
text = Replace(text,"and","and")
text = Replace(text,"exec","exec")
text = Replace(text,"execute","execute")
text = Replace(text,"insert","insert")
text = Replace(text,"select","select")
text = Replace(text,"delete","delete")
text = Replace(text,"update","update")
text = Replace(text,"count","count")
text = Replace(text,"chr","chr")
text = Replace(text,"mid","mid")
text = Replace(text,"master","master")
text = Replace(text,"truncate","truncate")
text = Replace(text,"char","char")
text = Replace(text,"declare","declare")
POP_sqlout = text
end function
function HTMLEncode(popstring)
if not isnull(popstring) then
popstring = POP_sqlout(popstring)
popstring = replace(popstring, ">", ">")
popstring = replace(popstring, "<", "<")
popstring = Replace(popstring, CHR(32), " ")
popstring = Replace(popstring, CHR(9), " ")
popstring = Replace(popstring, CHR(34), """)
popstring = Replace(popstring, CHR(39), "'")
popstring = Replace(popstring, CHR(10) & CHR(10), "
")
popstring = Replace(popstring, CHR(10), "
")
popstring = Replace(popstring, CHR(36), "$")
HTMLEncode = popstring
end if
end function
使用方法:
把需要过滤的提交信息改为POP_sqlin(提交的信息)即可
在需要把信息还原时改为:Htmlencode(提交的信息)即可
评论: 0 | 引用: 0 | 查看次数: 2169
发表评论