<%
Dim Fy_url,fy_a,fy_x,fy_cs (), FY_CL,FY_TS,FY_ZX
'---Define the partial head------
FY_CL = 1 ' processing: 1 = hint information, 2 = Turn to page, 3 = prompt before turning
FY_ZX = "index." The page that the Asp "' turned to when it went wrong
'---Define a partial tail------
On Error Resume Next
Fy_url=request.servervariables ("Query_string")
Fy_a=split (Fy_url, "&")
ReDim Fy_cs (UBound (fy_a))
On Error Resume Next
For fy_x=0 to UBound (fy_a)
Fy_cs (fy_x) = Left (Fy_a (fy_x), InStr (Fy_a (fy_x), "=")-1)
Next
For fy_x=0 to UBound (Fy_cs)
If Fy_cs (fy_x) <> "Then
If Instr (LCase (Request (Fy_cs (fy_x)), "'") <>0 or Instr (LCase (Request (Fy_cs)), "select") fy_x or <>0 (LCase (Request (Fy_cs (fy_x))), "Update") <>0 or Instr (LCase (Request (Fy_cs)), "CHR") fy_x or <>0 ( LCase (Request (Fy_cs (fy_x))), "Delete%20from") <>0 or Instr (LCase (Request (Fy_cs)), ";") <>0 or Instr (LCase (Request (Fy_cs (fy_x))), "Insert") <>0 or Instr (LCase (Request (Fy_cs)), "Mid") < >0 Or Instr (LCase (Request (Fy_cs (fy_x))), "Master.") <>0 Then
Select Case FY_CL
Case "1"
Response.Write "<script Language=javascript>alert (' Error occurred! The value of the parameter "&fy_cs (fy_x) &" contains an illegal string! \ n \ nyou do not appear in parameters: AND,SELECT,UPDATE,INSERT,DELETE,CHR and other illegal characters! \ n \ nthe I have set not SQL injection, please do not illegal means to me! '); Window.close ();</script> "
Case "2"
Response.Write "<script language=javascript>location.href=" &Fy_Zx& "</Script>"
Case "3"
Response.Write "<script Language=javascript>alert (' Error occurred! The value of the parameter "&fy_cs (fy_x) &" contains an illegal string! \ n \ nyou do not appear in Parameters:, AND,SELECT,UPDATE,INSERT,DELETE,CHR and other illegal characters! \ n \ nthe design of the door, illegal intrusion please leave, thank you! '); location.href= ' "&Fy_Zx&" ';</script> "
End Select
Response.End
End If
End If
Next
%>
The above code for more users, from the use of the speech, the effect is significant.
Dim Query_badword,form_badword,err_message,err_web,form_name
'------Define the partial head----------------------------------------------------------------------
Err_message = 1 ' processing: 1 = hint information, 2 = Turn to page, 3 = prompt before turning
Err_web = The page to turn to when the "err.asp" error occurs
Query_badword= "' ‖AND‖SELECT‖UPDATE‖CHR‖DELETE‖%20FROM‖;‖INSERT‖MID‖MASTER.‖SET‖CHR (37) ‖="
' Define get illegal parameters in this section, use ' ‖ ' number interval
form_badword= "' ‖%‖&‖*‖#‖@‖=‖select‖and‖set‖delete" in this section defines post illegal parameters, using the "‖" number interval
'------Define a partial tail-----------------------------------------------------------------------
‘
On Error Resume Next
'-----Filtering of the Get query value.
If request. Querystring<> "Then
Chk_badword=split (Query_badword, "‖")
For each query_form_name in Request.QueryString
For i=0 to UBound (Chk_badword)
If Instr (LCase (Request. QueryString (Query_form_name)), Chk_badword (i)) <>0 then
Select Case Err_message
Case "1"
Response.Write "<script language=javascript>alert (' Pass parameter Error! The value of parameter ' &form_name& ' contains an illegal string! \ n \ nyou should not appear in the parameter: and update delete; Insert an illegal character such as Mid master! '); Window.close ();</script> "
Case "2"
Response.Write "<script language=javascript>location.href=" &Err_Web& "</Script>"
Case "3"
Response.Write "<script language=javascript>alert (' Pass parameter Error! The value of parameter ' &form_name& ' contains an illegal string! \ n \ nyou should not appear in the parameter: and update delete; Insert an illegal character such as Mid master! '); location.href= ' "&Err_Web&" ';</script> "
End Select
Response.End
End If
NEXT
NEXT
End if
'-----filtering of the post form values.
If request.form<> "" Then
Chk_badword=split (Form_badword, "‖")
For each form_name in Request.Form
For i=0 to UBound (Chk_badword)
If Instr (LCase (Request.Form (Form_name)), Chk_badword (i)) <>0 then
Select Case Err_message
Case "1"
Response.Write "<script language=javascript>alert (' Wrong! The value of the form "&form_name&" contains an illegal string! \ n \ nyou should not appear in the form:% & * # () illegal characters! '); Window.close ();</script> "
Case "2"
Response.Write "<script language=javascript>location.href=" &Err_Web& "</Script>"
Case "3"
Response.Write "<script language=javascript>alert (' Wrong! The value of parameter ' &form_name& ' contains an illegal string! \ n \ nyou should not appear in the form:% & * # () illegal characters! '); location.href= ' "&Err_Web&" ';</script> "
End Select
Response.End
End If
NEXT
NEXT
End If
The above is a different version.
<%
Dim Getflag Rem (Submission method)
Dim errorsql Rem (illegal character)
Dim Requestkey Rem (submit data)
Dim fori Rem (Loop Mark)
Errorsql = "' ~;~and~ (~) ~exec~update~count~*~%~chr~mid~master~truncate~char~declare" Rem (use half-width "~" to open each sensitive character or word)
Errorsql = Split (Errorsql, "~")
If Request.ServerVariables ("request_method") = "GET" Then
Getflag=true
Else
Getflag=false
End If
If Getflag Then
For each requestkey in Request.QueryString
For fori=0 to Ubound (errorsql)
If Instr (LCase (Request.QueryString (Requestkey)), Errorsql (fori)) <>0 Then
Response.Write "<script>alert (" "Warning: \ n Please do not try" "); location.href=" "Index.asp" ";</script>"
Response.End
End If
Next
Next
Else
For each requestkey in Request.Form
For fori=0 to Ubound (errorsql)
If Instr (LCase (Request.Form (Requestkey)), Errorsql (fori)) <>0 Then
Response.Write "<script>alert (" "Warning: \ n Please do not try" "); location.href=" "Index.asp" ";</script>"
Response.End
End If
Next
Next
End If
%>
1, put the above code into the conn file can!
2, save the above code as safe.asp, in the conn file can also be introduced!
Anti-SQL Injection Code (ASP version)