很多网站对get跟post字段只是去掉了空格,而没有做过滤
所以会导致sql注入漏洞

解决办法在是在asp文件的开头,加入以下代码的,可以把该代码加入到top文件.


<%
dim SQL_injdata
SQL_injdata="'|and|or|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then
For Each SQL_GET In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
'Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.Redirect ("../home/index.asp")
Response.end
end if
next
Next

For Each SQL_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
'Response.Write ("<Script>alert('请不要在参数中包含非法字符!');history.back(-1)</Script>" )
Response.Redirect ("../home/index.asp")  
Response.end
end if
next
next
end if
%>
posted on 2010-04-08 03:27  sn_wolf  阅读(192)  评论(0编辑  收藏  举报