|
防sql注入的函数
<%
'过滤字符串(此函数把一些危险符号转换为全角格式,但对英文大小写没有影响,ps:不一定要过滤这么多,主要是单引号'过滤就行了)
Function StrChk(str)
Dim lcStr
if isNull(str) or isEmpty(str) then
str = ""
end if
str = Trim(str)
str = replace(str,"--","——")
str = replace(str,"&","&")
str = replace(str,";",";")
str = replace(str,"`","`")
str = replace(str,"'","''")
str = replace(str,"'","‘")
str = replace(str,"|","|")
str = replace(str,"*","*")
str = replace(str,"?","?")
str = replace(str,"~","~")
str = replace(str,"<","<")
str = replace(str,">",">")
str = replace(str,"(","(")
str = replace(str,")",")")
str = replace(str,"^","︿")
'str = replace(str,"[","[")
'str = replace(str,"]","]")
str = replace(str,"{","{")
str = replace(str,"}","}")
'str = replace(str,"$","$")
str = replace(str,"/","/")
'str = replace(str,"#","#")
str = replace(str,chr(92),"\")
str = replace(str,chr(34),""")
str = replace(str,chr(10),"")
str = replace(str,chr(13),"")
str = replace(str,chr(9),"")
str = replace(str,chr(0),"")
lcStr = LCase(str)
if (Instr(lcStr,"select")<>0) or (Instr(lcStr,"union")<>0) then'如果找到
Response.write("参数中有不安全字符(如select或union),请先去掉...")
Response.end
end if
StrChk = str
End Function
'过滤所有get方式传入的字符串,一旦发现有问题的数据就转向错误页面
'可以在页面的顶部调用这个函数,就可以全部过滤了
Sub ChkAllGet()
Dim get_name,get_filter,get_allfilter,for_get,i
get_allfilter = "--!&!;!`!'!│!*!?!~!<!>!^!(!)![!]!{!}!$!/!#!"&chr(0)&"!"&chr(34)&"!"&chr(10)&"!"&chr(13)&"!"&chr(92)&"!"&chr(9)
get_allfilter = get_allfilter & "!select !insert !delete from !drop table!update !asc(!mid(!chr(! and ! or !union "
' 处理Get
If Request.QueryString<>"" Then
get_filter = split(get_allfilter,"!")
For Each get_name In Request.QueryString
for_get = LCase(Request.QueryString(get_name))
For i=0 To Ubound(get_filter)
'If ((Instr(for_get,get_filter(i))<>0) or Len(Trim(for_get))=0 or IsNull(for_get)) Then
If ((Instr(for_get,get_filter(i))<>0) or IsNull(for_get)) Then
Call ErrorHandle("get")
end if
next
next
end if
End sub
'过滤所有form方式传入的字符串,一旦发现有问题的数据就转向错误页面
'可以在页面的顶部调用这个函数,就可以全部过滤了
Sub ChkAllPost()
Dim post_name,post_filter,post_allfilter,for_post,j
post_allfilter = "--!&!;!`!'!│!*!?!~!<!>!^!(!)![!]!{!}!$!/!#!"&chr(0)&"!"&chr(34)&"!"&chr(10)&"!"&chr(13)&"!"&chr(92)&"!"&chr(9)
post_allfilter = post_allfilter & "!select !insert !delete from !drop table!update !asc(!mid(!chr(! and ! or !union "
'== 处理Post
If Request.form<>"" Then
post_filter = split(post_allfilter,"!")
For Each post_name In Request.form
for_post = LCase(Request.form(post_name))
For j=0 To Ubound(post_filter)
'If ((Instr(for_post,post_filter(j))<>0) or Len(Trim(for_post))=0 or IsNull(for_post)) Then
If ((Instr(for_post,post_filter(j))<>0) or IsNull(for_post)) Then
Call ErrorHandle("post")
end if
next
next
end if
End sub
'只有符合指定条件的字符才返回true
Function StrictChk(str)
Dim Letters : Letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890-"
Dim i,c
if (isEmpty(str) or isNull(str)) then
StrictChk = false
Exit Function
end if
for i=1 to Len(str)
c = Mid(str, i, 1)
if(instr(Letters, c)=0)then
StrictChk = false
Exit Function
end if
next
StrictChk = true
End Function
%>
2006-7-18 15:00:46
Posted by jser | 阅读全文() | 回复(0) | 引用通告() | 编辑
|
