ASP防SQL注入的兩種函數(shù)代碼

2024-05-04 11:07:26

字體：大中小

供稿：網(wǎng)友

Function SafeRequest(ParaName,ParaType)
’--- 傳入?yún)?shù) ---
’ParaName:參數(shù)名稱-字符型
’ParaType:參數(shù)類型-數(shù)字型(1表示以上參數(shù)是數(shù)字，0表示以上參數(shù)為字符)

Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "參數(shù)" & ParaName & "必須為數(shù)字型！"
Response.end
End if
Else
ParaValue=replace(ParaValue,"’","’’")
End if
SafeRequest=ParaValue
End function

用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")

*********************************************************************************************************

-------------------------------------------------------------------------------------------------------------------------------------------

*********************************************************************************************************

if request.querystring<>"" then
    for each getData in request.querystring
    for i=0 to ubound(sql_inj)
        if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
        hint="alert(’為了保證用戶的信息安全，請(qǐng)不要使用非法注入字符。如下字符為非法的： @sql_injHint@’);"
        hint=replace(hint,"@sql_injHint@",sql_injHint)
        response.write "<script language=javascript>"
        response.write hint
        response.write "history.back()"
        response.write "</script>"
        response.end
      end if
    next
    next
end if

if request.form<>"" then
    for each getData in request.querystring
    for i=0 to ubound(sql_inj)
        if instr(lcase(request.form(getData)),sql_inj(i))>0 then
        hint="alert(’為了保證用戶的信息安全，請(qǐng)不要使用非法注入字符。如下字符為非法的： @sql_injHint@’);"
        hint=replace(hint,"@sql_injHint@",sql_injHint)
        response.write "<script language=javascript>"
        response.write hint
        response.write "history.back()"
        response.write "</script>"
        response.end
      end if
    next
    next
end if
%>將此段代碼形成一個(gè)文件 (如:defanj.asp)，將所有要用到數(shù)據(jù)庫的文件頭部加入