Function SafeRequest(ParaName,ParaType)
’--- 傳入參數 ---
’ParaName:參數名稱-字符型
’ParaType:參數類型-數字型(1表示以上參數是數字���,0表示以上參數為字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "參數" & ParaName & "必須為數字型��!"
Response.end
End if
Else
ParaValue=replace(ParaValue,"’","’’")
End if
SafeRequest=ParaValue
End function
用SafeRequest(ParaName,ParaType)代替request.form("")和request..querystring("")
*********************************************************************************************************
-------------------------------------------------------------------------------------------------------------------------------------------
*********************************************************************************************************
<%
dim sql_injdata
sql_injdata="’|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
sql_injHint=replace(sql_injdata,"|"," ")
sql_injHint=replace(sql_injHint,"’","’")
sql_inj=split(sql_injdata,"|")
if request.querystring<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.querystring(getData)),sql_inj(i))>0 then
hint="alert(’為了保證用戶的信息安全��,請不要使用非法注入字符���。如下字符為非法的: @sql_injHint@’);"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
if request.form<>"" then
for each getData in request.querystring
for i=0 to ubound(sql_inj)
if instr(lcase(request.form(getData)),sql_inj(i))>0 then
hint="alert(’為了保證用戶的信息安全�����,請不要使用非法注入字符���。如下字符為非法的: @sql_injHint@’);"
hint=replace(hint,"@sql_injHint@",sql_injHint)
response.write "<script language=javascript>"
response.write hint
response.write "history.back()"
response.write "</script>"
response.end
end if
next
next
end if
%>將此段代碼形成一個文件 (如:defanj.asp)�����,將所有要用到數據庫的文件頭部加入<!--#include file=defanj.asp-->
