ASP防止注入的代码

<%
strSQL="driver={sql server};server=127.0.0.1;uid=asai;pwd=456789;database=asai"
set conn=server.createobject("ADODB.CONNECTION")
conn.open strSQL%>
<%
Dim flashack_Post,flashack_Get,flashack_In,flashack_Inf,flashack_Xh,flashack_db,flashack_dbstr
flashack_In = "'※;※and※exec※insert※select※delete※update※count※*※%※chr※mid※master※truncate※char※declare"
flashack_Inf = split(flashack_In,"※")
If Request.Form<>"" Then
For Each flashack_Post In Request.Form

For flashack_Xh=0 To Ubound(flashack_Inf)
If Instr(LCase(Request.Form(flashack_Post)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write ""
Response.Write "非法操作！系统做了如下记录↓
"
Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"
"
Response.Write "操作时间："&Now&"
"
Response.Write "操作页面："&Request.ServerVariables("URL")&"
"
Response.Write "提交方式：POST
"
Response.Write "提交参数："&flashack_Post&"
"
Response.Write "提交数据："&Request.Form(flashack_Post)
Response.End
End If
Next
Next
End If
If Request.QueryString<>"" Then
For Each flashack_Get In Request.QueryString
For flashack_Xh=0 To Ubound(flashack_Inf)
If Instr(LCase(Request.QueryString(flashack_Get)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write ""
Response.Write "非法操作！flashack已经给你做了如下记录↓
"
Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"
"
Response.Write "操作时间："&Now&"
"
Response.Write "操作页面："&Request.ServerVariables("URL")&"
"
Response.Write "提交方式：GET
"
Response.Write "提交参数："&flashack_Get&"
"
Response.Write "提交数据："&Request.QueryString(flashack_Get)
Response.End
End If
Next
Next
End If
%>
<%
'防SQL注入

On Error Resume Next
function CheckPost(STR) '函数的作用为过滤用POST方法提交的文本字符串来防止SQL注入,可以将任意想要过滤的字符串放入Badword_POST变量中
Dim messgae,badword,Newstr,goodword,strLen,onlyStr,chk_Badword '定义要使用的变量
message=STR
Badword_POST="'|%|&|*|#|@|(|)|="    '定义用Post方法提交的敏感字符
If message<>"" Then    '如果字符串不为空
chk_Badword=split(Badword_POST,"|")     '将要过滤的字符转换为数组
goodword="敏"      '定义要将过滤的字符替换为新的字符
strLen=Len(message)      '计算提交文本的长度
Newstr=""    '定义生成新字符串
For i=1 to strLen       '循环
   onlyStr=Mid(message,i,1)      '将提交的字符串分成单个字符
   For j=0 to UBOUND(chk_Badword)     '将敏感字符和单个字符比较
    if onlyStr=chk_Badword(j) then '如果单个字符为敏感字符
     onlyStr=Replace(onlystr,chk_Badword(j),goodword) '替换敏感字符为新的字符
     'onlyStr=Replace(onlystr,chk_Badword(j),ASC(onlystr))     可选将敏感字符替换为ASCII编码
    end if
   Next
   Newstr=Newstr+onlystr '生成新的提交字符串
Next
Else
Newstr="空" '如果字符串为空
End If
CheckSql=Newstr '函数的返回值
end function

function CheckStr(STR) '此函数作用为将HTML标记替换为UNICODE编码，防止SQL注入等
dim Newstr
Newstr=Replace(STR,"<","<")
Newstr=Replace(Newstr,">",">")
Newstr=Replace(Newstr," "," ")
Newstr=Replace(Newstr,"'","''")
Newstr=Replace(Newstr,"&","&")
Newstr=Replace(Newstr,Chr(13),"
")
end function

function CheckGet()'函数的作用为过滤用GET方法提交的文本字符串来防止SQL注入,此函数在页面提交中调用即可
Dim Badword_GET,Chk_badword,compareStr '定义变量
'定义不能在GET方法提交的内容出现的字符,可将需要禁止的字符添加到Badword_GET变量中,并用|号分开即可
Badword_GET="'|exec|insert|select|delete|update|count|*|and|chr|mid|truncate|declare|%20from|;|master.|set|chr(37)|=|net|cmd"
if request.QueryString<>"" then '如果通过GET方法提交的内容不能空
        Chk_badword=split(Query_Badword,"|") '将要过滤的字符转换为数组
        For Each compareStr In Request.QueryString '在用GET方法提交的字段中循环
            for i=0 to Ubound(Chk_badword) '分别匹配不同的过滤字符
                If Instr(Lcase(request.QueryString(compareStr)),Chk_badword(i))<>0 Then '如果GET提交的内容中包含非法字符,则提交失败
                    Response.Write ""
                    Response.End() '结束操作，且返回上一页
                End If
            Next
        Next
    End if
end function

'··················
'·函数名：RemoveHTML              ·
'·功 能：清理HTML标签(去空格)    ·
'··················
Function RemoveHTML(strHTML)
Dim objRegExp, Match, Matches
Set objRegExp = New Regexp

objRegExp.IgnoreCase = True
objRegExp.Global = True
'取闭合的<>
objRegExp.Pattern = "<.+?>"
'进行匹配
Set Matches = objRegExp.Execute(strHTML)

' 遍历匹配集合，并替换掉匹配的项目
For Each Match in Matches
strHtml=Replace(strHTML,Match.Value,"")
Next
RemoveHTML=strHTML
Set objRegExp = Nothing
End Function

'过滤SQL非法字符
function checkStr(str)
if isnull(str) then
   checkStr = ""
   exit function
end if
checkStr=replace(str,"'","''")
checkStr=replace(str,"%","")
end function


'过滤表单字符
function HTMLcode(fString)
if not isnull(fString) then
    fString = replace(fString, ">", ">")
    fString = replace(fString, "<", "<")
    HTMLcode = fString
end if
end function
'过滤HTML代码
function HTMLEncode(fString)
if not isnull(fString) then
    fString = replace(fString, ">", ">")
    fString = replace(fString, "<", "<")
    fString = Replace(fString, CHR(32), " ")
    fString = Replace(fString, CHR(9), " ")
    fString = Replace(fString, CHR(34), """)
    fString = Replace(fString, CHR(39), "'")
    fString = Replace(fString, CHR(13), "")
    fString = Replace(fString, CHR(10) & CHR(10), "

")
    fString = Replace(fString, CHR(10), "
")

'    fString=ChkBadWords(fString)
    HTMLEncode = fString
end if
end function
function HTMLancode(fString)
if not isnull(fString) then

    fString = Replace(fString, CHR(34), """)
    fString = Replace(fString, CHR(39), "'")
    fString = Replace(fString, CHR(13), "")
    fString = Replace(fString, CHR(10) & CHR(10), "

")
    fString = Replace(fString, CHR(10), "
")

'    fString=ChkBadWords(fString)
    HTMLancode = fString
end if
end function
function HTMLEncodaa(fString)
    fString = Replace(fString, "", CHR(13))
   fString = Replace(fString, "

", CHR(10) & CHR(10))
   fString = Replace(fString, "
",CHR(10) )
   HTMLEncodaa = fString
end function

'··················
'·函数名：hacker                  ·
'·功 能：防止黑客攻击（后台）    ·
'··················
Sub hacker()
myurl=lcase(trim(request.ServerVariables("HTTP_REFERER")))
if myurl="" then
else
if mid(myurl,len(outurl)+1,1)=":" then
end if
if lcase(left(myurl,instrrev(myurl,"/")))<>lcase(left(outurl,instrrev(outurl,"/"))) then
end if
end if
end Sub
%>

上一篇: ASP批量生成HTML
下一篇: asp作品保护方案
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
相关日志: