ASP防注入
因为在改进公司的一套ASP代码,所以考虑了一下防注入的问题。
参考了网上的几处代码,进行了修改和整合,都转换成小写再处理。
还考虑了script注入。
代码如下:
'Asp防注入代码 SQL_injdata =lcase(":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'") SQL_injdata =SQL_injdata&lcase("|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|script") SQL_inj = split(SQL_Injdata,"|") if Request.QueryString<>"" then For Each SQL_Get In Request.QueryString For SQL_Data=0 To Ubound(SQL_inj) if not IsNumeric(Request.QueryString(SQL_Get)) then if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then Response.Write "对不起,非法URL地址请求!" Response.end end if end if next next end if if Request.Form<>"" then For Each Sql_Post In Request.Form For SQL_Data=0 To Ubound(SQL_inj) if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then Response.Write "对不起,非法数据提交!" Response.end end if next next end if if Request.Cookies<>"" then For Each Sql_Post In Request.Cookies For SQL_Data=0 To Ubound(SQL_inj) if instr(lcase(Request.Cookies(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then Response.Write "对不起,非法URL地址请求!" Response.end end if next next end if 'post过滤sql注入代防范及HTML防护开始 function nosql(str) if not isnull(str) then str=trim(str) str=replace(str,";",";") '分号 str=replace(str,"'","'") '单引号 str=replace(str,"""",""") '双引号 str=replace(str,"chr(9)"," ") '空格 str=replace(str,"chr(10)","<br>") '回车 str=replace(str,"chr(13)","<br>") '回车 str=replace(str,"chr(32)"," ") '空格 str=replace(str,"chr(34)",""") '双引号 str=replace(str,"chr(39)","'") '单引号 str=Replace(str, "script", "script")'jscript str=replace(str,"<","<") '左< str=replace(str,">",">") '右> str=replace(str,"(","(") '左( str=replace(str,")",")") '右) str=replace(str,"--","--") 'SQL注释符 str=replace(str,"net user","") str=replace(str,"xp_cmdshell","") str=replace(str,"/add","") str=replace(str,"exec%20master.dbo.xp_cmdshell","") str=replace(str,"net localgroup administrators","") str=replace(str,"select","") str=replace(str,"count","") str=replace(str,"asc","") str=replace(str,"char","") str=replace(str,"mid","") str=replace(str,":","") str=replace(str,"insert","") str=replace(str,"delete","") str=replace(str,"drop","") str=replace(str,"truncate","") str=replace(str,"from","") str=replace(str,"%","") nosql=str end if end function
参考:
http://itlobo.com/articles/1123.html
http://www.aisenan.com/hack/aspfzrdm_fcookiezrdm_13.html
http://www.mkshy.com/networkTechnology/preventInjection.shtml