ASP 防SQL注入过滤代码问题？？

显示全部楼层 · 2010-8-20 18:53:11

function checkstr(str)
if isnull(str) then
checkstr = ""
exit function
end if
str = replace(str,chr(0),"", 1, －1, 1)
str = replace(str, """", """, 1, －1, 1)
str = replace(str,"；",">；", 1, －1, 1)
str = replace(str, "script", "script", 1, －1, 0)
str = replace(str, "script", "script", 1, －1, 0)
str = replace(str, "script", "script", 1, －1, 0)
str = replace(str, "script", "script", 1, －1, 1)
str = replace(str, "object", "object", 1, －1, 0)
str = replace(str, "object", "object", 1, －1, 0)
str = replace(str, "object", "object", 1, －1, 0)
str = replace(str, "object", "object", 1, －1, 1)
str = replace(str, "applet", "applet", 1, －1, 0)
str = replace(str, "applet", "applet", 1, －1, 0)
str = replace(str, "applet", "applet", 1, －1, 0)
str = replace(str, "applet", "applet", 1, －1, 1)
str = replace(str, "[", "[")
str = replace(str, "]", "]")
str = replace(str, """", "", 1, －1, 1)
str = replace(str, "=", "=", 1, －1, 1)
str = replace(str, "’", "’’", 1, －1, 1)
str = replace(str, "select", "select", 1, －1, 1)
str = replace(str, "execute", "execute", 1, －1, 1)
str = replace(str, "exec", "exec", 1, －1, 1)
str = replace(str, "join", "join", 1, －1, 1)
str = replace(str, "union", "union", 1, －1, 1)
str = replace(str, "where", "where", 1, －1, 1)
str = replace(str, "insert", "insert", 1, －1, 1)
str = replace(str, "delete", "delete", 1, －1, 1)
str = replace(str, "update", "update", 1, －1, 1)
str = replace(str, "like", "like", 1, －1, 1)
str = replace(str, "drop", "drop", 1, －1, 1)
str = replace(str, "create", "create", 1, －1, 1)
str = replace(str, "rename", "rename", 1, －1, 1)
str = replace(str, "count", "count", 1, －1, 1)
str = replace(str, "chr", "chr", 1, －1, 1)
str = replace(str, "mid", "mid", 1, －1, 1)
str = replace(str, "truncate", "truncate", 1, －1, 1)
str = replace(str, "nchar", "nchar", 1, －1, 1)
str = replace(str, "char", "char", 1, －1, 1)
str = replace(str, "alter", "alter", 1, －1, 1)
str = replace(str, "cast", "cast", 1, －1, 1)
str = replace(str, "exists", "exists", 1, －1, 1)
str = replace(str,chr(13),"；", 1, －1, 1)
checkstr = replace(str,"’","’’", 1, －1, 1)
end function
这代码可以防止SQL注入吗？怎么用呢？
具体用在哪地方？？听说很多ASP 网站被黑
如何才能防止？
祥细点吧

千问 · 2010-8-20 18:53:11

不用这样，如果你的变量是数字型，那用Clng()转一下，如果是日期类型， CDate()一下，如果是其他类型，把单引号替换了就行：Function checkStr(ByVal x, ByVal typ)
On Error Rusume Next
'如果你是需要整形变量
If typ = "int" Then
x = Clng(x)
'如果你是需要时间
Else If typ = "date" Then
x = CDate(x)
'其他 Else
x = Replace(x, "'", "''") End If

千问 · 2010-8-20 18:53:11

checkstr(request("fuckhacker"))

千问 · 2010-8-20 18:53:11

用在能够被接受到参数的地方主要是request.formrequest.querystringrequest.cookie这三种类型的变量都有可能会被恶意注入你原来的一些地方写法可能是aaa=request.querystring("aaa")用这个函数就要变成aaa=checkstr(request.querystrin