ASP中过滤SQL命令字符

function POP_sqlin(text)
   if isnull(text) then
     POP_sqlin=""
     exit function
   end if

   dim Sqlwords
   Set Sqlwords=new RegExp
   Sqlwords.IgnoreCase =True
   Sqlwords.Global=True

   Sqlwords.Pattern="(')"
   text=Sqlwords.Replace(text,"''")
   Sqlwords.Pattern="(;)"
   text=Sqlwords.Replace(text,";")
   Sqlwords.Pattern="(%)"
   text=Sqlwords.Replace(text,"%")
   Sqlwords.Pattern="(and)"
   text=Sqlwords.Replace(text,"and")
   Sqlwords.Pattern="(exec)"
   text=Sqlwords.Replace(text,"exec")
   Sqlwords.Pattern="(execute)"
   text=Sqlwords.Replace(text,"execute")
   Sqlwords.Pattern="(insert)"
   text=Sqlwords.Replace(text,"insert")
   Sqlwords.Pattern="(select)"
   text=Sqlwords.Replace(text,"select")
   Sqlwords.Pattern="(delete)"
   text=Sqlwords.Replace(text,"delete")
   Sqlwords.Pattern="(update)"
   text=Sqlwords.Replace(text,"update")
   Sqlwords.Pattern="(count)"
   text=Sqlwords.Replace(text,"count")
   Sqlwords.Pattern="(chr)"
   text=Sqlwords.Replace(text,"chr")
   Sqlwords.Pattern="(mid)"
   text=Sqlwords.Replace(text,"mid")
   Sqlwords.Pattern="(master)"
   text=Sqlwords.Replace(text,"master")
   Sqlwords.Pattern="(truncate)"
   text=Sqlwords.Replace(text,"truncate")
   Sqlwords.Pattern="(char)"
   text=Sqlwords.Replace(text,"char")
   Sqlwords.Pattern="(declare)"
   text=Sqlwords.Replace(text,"declare")

   Set Sqlwords=Nothing
   POP_sqlin = text
end function

function POP_sqlout(text)
   if isnull(text) then
     POP_sqlout=""
     exit function
   end if
   text = Replace(text,"''","'")
   text = Replace(text,";",";")
   text = Replace(text,"%","%")
   text = Replace(text,"and","and")
   text = Replace(text,"exec","exec")
   text = Replace(text,"execute","execute")
   text = Replace(text,"insert","insert")
   text = Replace(text,"select","select")
   text = Replace(text,"delete","delete")
   text = Replace(text,"update","update")
   text = Replace(text,"count","count")
   text = Replace(text,"chr","chr")
   text = Replace(text,"mid","mid")
   text = Replace(text,"master","master")
   text = Replace(text,"truncate","truncate")
   text = Replace(text,"char","char")
   text = Replace(text,"declare","declare")
   POP_sqlout = text
end function

function HTMLEncode(popstring)
   if not isnull(popstring) then
   popstring = POP_sqlout(popstring)
   popstring = replace(popstring, ">", ">")
   popstring = replace(popstring, "<", "<")
   popstring = Replace(popstring, CHR(32), " ")
   popstring = Replace(popstring, CHR(9), " ")
   popstring = Replace(popstring, CHR(34), """)
   popstring = Replace(popstring, CHR(39), "'")
   popstring = Replace(popstring, CHR(10) & CHR(10), "

")
   popstring = Replace(popstring, CHR(10), "
")
   popstring = Replace(popstring, CHR(36), "$")
   HTMLEncode = popstring
   end if
end function


使用方法:
把需要过滤的提交信息改为POP_sqlin(提交的信息)即可
在需要把信息还原时改为:Htmlencode(提交的信息)即可



上一篇: SQL替换挂马命令
下一篇: "无限流"分页程序,终于调试成功
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
相关日志:
评论: 0 | 引用: 0 | 查看次数: 1150
发表评论
昵 称:
密 码: 游客发言不需要密码.
邮 箱: 邮件地址支持Gravatar头像,邮箱地址不会公开.
网 址: 输入网址便于回访.
内 容:
验证码:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 300 字 | UBB代码 开启 | [img]标签 关闭