ASP防止注入的代码
作者:wang 日期:2009-10-12
strSQL="driver={sql server};server=127.0.0.1;uid=asai;pwd=456789;database=asai"
set conn=server.createobject("ADODB.CONNECTION")
conn.open strSQL%>
<%
Dim flashack_Post,flashack_Get,flashack_In,flashack_Inf,flashack_Xh,flashack_db,flashack_dbstr
flashack_In = "'※;※and※exec※insert※select※delete※update※count※*※%※chr※mid※master※truncate※char※declare"
flashack_Inf = split(flashack_In,"※")
If Request.Form<>"" Then
For Each flashack_Post In Request.Form
For flashack_Xh=0 To Ubound(flashack_Inf)
If Instr(LCase(Request.Form(flashack_Post)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write ""
Response.Write "非法操作!系统做了如下记录↓
"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"
"
Response.Write "操作时间:"&Now&"
"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"
"
Response.Write "提交方式:POST
"
Response.Write "提交参数:"&flashack_Post&"
"
Response.Write "提交数据:"&Request.Form(flashack_Post)
Response.End
End If
Next
Next
End If
If Request.QueryString<>"" Then
For Each flashack_Get In Request.QueryString
For flashack_Xh=0 To Ubound(flashack_Inf)
If Instr(LCase(Request.QueryString(flashack_Get)),flashack_Inf(flashack_Xh))<>0 Then
Response.Write ""
Response.Write "非法操作!flashack已经给你做了如下记录↓
"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"
"
Response.Write "操作时间:"&Now&"
"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"
"
Response.Write "提交方式:GET
"
Response.Write "提交参数:"&flashack_Get&"
"
Response.Write "提交数据:"&Request.QueryString(flashack_Get)
Response.End
End If
Next
Next
End If
%>
<%
'防SQL注入
On Error Resume Next
function CheckPost(STR) '函数的作用为过滤用POST方法提交的文本字符串来防止SQL注入,可以将任意想要过滤的字符串放入Badword_POST变量中
Dim messgae,badword,Newstr,goodword,strLen,onlyStr,chk_Badword '定义要使用的变量
message=STR
Badword_POST="'|%|&|*|#|@|(|)|=" '定义用Post方法提交的敏感字符
If message<>"" Then '如果字符串不为空
chk_Badword=split(Badword_POST,"|") '将要过滤的字符转换为数组
goodword="敏" '定义要将过滤的字符替换为新的字符
strLen=Len(message) '计算提交文本的长度
Newstr="" '定义生成新字符串
For i=1 to strLen '循环
onlyStr=Mid(message,i,1) '将提交的字符串分成单个字符
For j=0 to UBOUND(chk_Badword) '将敏感字符和单个字符比较
if onlyStr=chk_Badword(j) then '如果单个字符为敏感字符
onlyStr=Replace(onlystr,chk_Badword(j),goodword) '替换敏感字符为新的字符
'onlyStr=Replace(onlystr,chk_Badword(j),ASC(onlystr)) 可选将敏感字符替换为ASCII编码
end if
Next
Newstr=Newstr+onlystr '生成新的提交字符串
Next
Else
Newstr="空" '如果字符串为空
End If
CheckSql=Newstr '函数的返回值
end function
function CheckStr(STR) '此函数作用为将HTML标记替换为UNICODE编码,防止SQL注入等
dim Newstr
Newstr=Replace(STR,"<","<")
Newstr=Replace(Newstr,">",">")
Newstr=Replace(Newstr," "," ")
Newstr=Replace(Newstr,"'","''")
Newstr=Replace(Newstr,"&","&")
Newstr=Replace(Newstr,Chr(13),"
")
end function
function CheckGet()'函数的作用为过滤用GET方法提交的文本字符串来防止SQL注入,此函数在页面提交中调用即可
Dim Badword_GET,Chk_badword,compareStr '定义变量
'定义不能在GET方法提交的内容出现的字符,可将需要禁止的字符添加到Badword_GET变量中,并用|号分开即可
Badword_GET="'|exec|insert|select|delete|update|count|*|and|chr|mid|truncate|declare|%20from|;|master.|set|chr(37)|=|net|cmd"
if request.QueryString<>"" then '如果通过GET方法提交的内容不能空
Chk_badword=split(Query_Badword,"|") '将要过滤的字符转换为数组
For Each compareStr In Request.QueryString '在用GET方法提交的字段中循环
for i=0 to Ubound(Chk_badword) '分别匹配不同的过滤字符
If Instr(Lcase(request.QueryString(compareStr)),Chk_badword(i))<>0 Then '如果GET提交的内容中包含非法字符,则提交失败
Response.Write ""
Response.End() '结束操作,且返回上一页
End If
Next
Next
End if
end function
'··················
'·函数名:RemoveHTML ·
'·功 能:清理HTML标签(去空格) ·
'··················
Function RemoveHTML(strHTML)
Dim objRegExp, Match, Matches
Set objRegExp = New Regexp
objRegExp.IgnoreCase = True
objRegExp.Global = True
'取闭合的<>
objRegExp.Pattern = "<.+?>"
'进行匹配
Set Matches = objRegExp.Execute(strHTML)
' 遍历匹配集合,并替换掉匹配的项目
For Each Match in Matches
strHtml=Replace(strHTML,Match.Value,"")
Next
RemoveHTML=strHTML
Set objRegExp = Nothing
End Function
'过滤SQL非法字符
function checkStr(str)
if isnull(str) then
checkStr = ""
exit function
end if
checkStr=replace(str,"'","''")
checkStr=replace(str,"%","")
end function
'过滤表单字符
function HTMLcode(fString)
if not isnull(fString) then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
HTMLcode = fString
end if
end function
'过滤HTML代码
function HTMLEncode(fString)
if not isnull(fString) then
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(9), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "
")
fString = Replace(fString, CHR(10), "
")
' fString=ChkBadWords(fString)
HTMLEncode = fString
end if
end function
function HTMLancode(fString)
if not isnull(fString) then
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "
")
fString = Replace(fString, CHR(10), "
")
' fString=ChkBadWords(fString)
HTMLancode = fString
end if
end function
function HTMLEncodaa(fString)
fString = Replace(fString, "", CHR(13))
fString = Replace(fString, "
", CHR(10) & CHR(10))
fString = Replace(fString, "
",CHR(10) )
HTMLEncodaa = fString
end function
'··················
'·函数名:hacker ·
'·功 能:防止黑客攻击(后台) ·
'··················
Sub hacker()
myurl=lcase(trim(request.ServerVariables("HTTP_REFERER")))
if myurl="" then
else
if mid(myurl,len(outurl)+1,1)=":" then
end if
if lcase(left(myurl,instrrev(myurl,"/")))<>lcase(left(outurl,instrrev(outurl,"/"))) then
end if
end if
end Sub
%>