查看:1474|回复:0
新手入门:防范SQL注入攻击的新办法发表时间:2010-03-09 16:52:41

大虾

0分享0主题0帖子

学徒一级

(初出茅庐)

Function SafeRequest(ParaName)  

Dim ParaValue  

ParaValue=Request(ParaName)

if IsNumeric(ParaValue) = True then

SafeRequest=ParaValue

exit Function

elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0  or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then

Response.Write "<script language=’javascript’>"
Response.Write "alert(’非法的请求!’);"  ’发现SQL注入攻击提示信息
Response.Write "location.href=’http://dev.test.com/"  ’发现SQL注入攻击转跳网址
Response.Write "<script>"
Response.end
else
SafeRequest=ParaValue
End If
End function

您需要登录以后才可以回帖    登录|注册