'SQL防注入函数,调用方法,在需要防注入的地方替换以前的request("XXXX")为SafeRequest("XXXX")
'www.yongfa365.com
Function SafeRequest(ParaValue)
ParaValue = Trim(Request(ParaValue))
If ParaValue = "" Then
SafeRequest = ""
Exit Function
End If
'要过滤的字符以","隔开
LockValue = "',Select,Update,Delete,insert,Count(,drop table,truncate,Asc(,Mid(,char(,xp_cmdshell,exec master,net localgroup administrators,And,net user,Or"
LockValue = Split(LockValue, ",")
'判断是否有注入
For i = 0 To UBound(LockValue)
If InStr(LCase(ParaValue), LCase(LockValue(i)))>0 Then
errmsg = 1
Exit For
End If
Next
'注入处理
If errmsg = 1 Then
Response.Write "<script language='javascript'>alert('可疑的SQL注入请求!');window.history.go(-1);</script>"
response.End
Else
SafeRequest = ParaValue
End If
End Function
下边是用正则表达式过滤的例子
'SQL防注入函数,调用方法,在需要防注入的地方替换以前的request("XXXX")为SafeRequest("XXXX")
'www.yongfa365.com
Function SafeRequest(ParaValue)
ParaValue = Trim(Request(ParaValue))
'正则表达式过滤
Set re = New RegExp
'禁止使用的注入字符
re.Pattern = "\'|Select|Update|Delete|insert|Count|drop table|truncate|Asc|Mid|char|xp_cmdshell|exec master|net localgroup administrators|And|net user|Or"
re.IgnoreCase = True
re.Global = True
Set Matches = re.Execute(ParaValue)
RegExpTest = Matches.count
'注入处理
If RegExpTest >0 Then
Response.Write "<script language='javascript'>alert('可疑的SQL注入请求!');window.history.go(-1);</script>"
response.End
Else
SafeRequest = ParaValue
End If
End Function
