如果已经是大量直接使用Request方法来获取参数,要另写个过滤函数来代替Request方法,改动面积就大了而且怕遗漏,那么就在需要检查的页面include该方法进来执行了。
建议把调用该方法检查的位置放在数据库打开函数里面。因为注入是在数据库上发生的
如:
Sub DbOpen()
QSqlSafe()
FSqlSafe()
...
...
Conn.Open()
End Sub
1
'检查QueryString
2Sub QSqlSafe()
3 Dim BadSql, ArrBad, GetQ, i
4 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
5 ArrBad = Split(BadSql,"|")
6 If Request.QueryString <>"" Then
7 For Each GetQ In Request.QueryString
8 For i = 0 To Ubound(ArrBad)
9 If Instr(Request.QueryString(GetQ),ArrBad(i)) > 0 Then
10 Response.Write "forbid"
11 Response.End()
12 End if
13 Next
14 Next
15 End If
16End Sub
17
18'检查Form表单
19Sub FSqlSafe()
20 Dim BadSql, ArrBad, GetF, i
21 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
22 ArrBad = Split(BadSql,"|")
23 If Request.Form <>"" Then
24 For Each GetF In Request.QueryString
25 For i = 0 To Ubound(ArrBad)
26 If Instr(Request.QueryString(GetF),ArrBad(i)) > 0 Then
27 Response.Write "forbid"
28 Response.End()
29 End if
30 Next
31 Next
32 End If
33End Sub
34
'检查QueryString2
Sub QSqlSafe()3
Dim BadSql, ArrBad, GetQ, i4
BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" 5
ArrBad = Split(BadSql,"|") 6
If Request.QueryString <>"" Then 7
For Each GetQ In Request.QueryString 8
For i = 0 To Ubound(ArrBad) 9
If Instr(Request.QueryString(GetQ),ArrBad(i)) > 0 Then 10
Response.Write "forbid" 11
Response.End()12
End if 13
Next 14
Next 15
End If16
End Sub17
18
'检查Form表单19
Sub FSqlSafe()20
Dim BadSql, ArrBad, GetF, i21
BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare" 22
ArrBad = Split(BadSql,"|") 23
If Request.Form <>"" Then 24
For Each GetF In Request.QueryString 25
For i = 0 To Ubound(ArrBad) 26
If Instr(Request.QueryString(GetF),ArrBad(i)) > 0 Then 27
Response.Write "forbid" 28
Response.End()29
End if 30
Next 31
Next 32
End If33
End Sub34
