过滤字符可以啊SQL_injdata = "'|exec|insert|select|delete|update|truncate|declare|or" SQL_inj = split(SQL_Injdata,"|") If Request.QueryString"" Then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then Response.Write "" Response.end end if next Next End IfIf Request.Form"" Then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then Response.Write "" Response.end end if next next end if 放在你的处理页的开头