防止SQL注入ASP代码

<%
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'自定义需要过滤的字串,用 "枫" 分隔
Fy_In = "'枫;枫and枫exec枫insert枫select枫delete枫update枫count枫*枫%枫chr枫mid枫master枫truncate枫char枫declare"
Fy_Inf 
= split(Fy_In,"")
If Request.Form<>"" Then
For Each Fy_Post In Request.Form

For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write 
"<Script Language=JavaScript>alert('提示:您想通过SQL注入↓\n\n请您马上停止这种非法行为,您的IP已被我们的系统记录,查明以后我们将移交公安机关严肃处理!');</Script>"
Response.Write 
"非法操作!系统做了如下记录↓<br>"
Response.Write 
"操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write 
"操作时间:"&Now&"<br>"
Response.Write 
"操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write 
"提交方式:POST<br>"
Response.Write 
"提交参数:"&Fy_Post&"<br>"
Response.Write 
"提交数据:"&Request.Form(Fy_Post)
Response.End
End If
Next
Next
End If
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write 
"<Script Language=JavaScript>alert('提示:您想通过SQL注入↓\n\n请您马上停止这种非法行为,您的IP已被我们的系统记录,查明以后我们将移交公安机关严肃处理!');</Script>"
Response.Write 
"非法操作!我们已经给你做了如下记录↓<br>"
Response.Write 
"操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write 
"操作时间:"&Now&"<br>"
Response.Write 
"操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write 
"提交方式:GET<br>"
Response.Write 
"提交参数:"&Fy_Get&"<br>"
Response.Write 
"提交数据:"&Request.QueryString(Fy_Get)
Response.End
End If
Next
Next
End If
%>
posted @ 2006-03-24 14:41  斌哥  阅读(593)  评论(0编辑  收藏  举报