Do not change the original character display!
such as select* replaced by & #115; elect*
This will not damage the data, but also safe!
Where I didn't think of it, please correct me.
<%
Response.Write checkrequest ("str")
' ============================================
' detects incoming variables to prevent SQL injection
' ============================================
Function checkrequest (ByVal strrequest)
Dim Paravalue, Abadualueb, Bbadvalue, Inbad, Strbad
If strrequest = "" Then
Checkrequest = ""
Exit Function
End If
Paravalue = Request (strrequest)
If paravalue = "" Then
Checkrequest = ""
Exit Function
End If
Abadvalue = "Net user|net localgroup administrators|xp_cmdshell|/add|exec%20master.dbo.xp_cmdshell|" & Chr (0) & ""
Avaluearr = Split (Abadvalue, "|")
For a = 0 to UBound (Avaluearr)
If InStr (LCase (Paravalue), Avaluearr (a)) <> 0 Then
Paravalue = Replace (Paravalue, Avaluearr (a), Strftoasc (Avaluearr (a)), 1,-1, vbTextCompare)
End If
Next
Bbadualue = "And|exec|insert|select|delete|update|count|chr|mid|master|truncate|char|declare|drop|from|or"
Inbad = "(|) | [|]| |*|%20 "
Bvaluearr = Split (Bbadualue, "|")
Ibad = Split (Inbad, "|")
For b = 0 to UBound (Bvaluearr)
Strbad = Bvaluearr (b)
For i = 0 to UBound (Ibad)
Fstr = Strbad & Ibad (i)
If InStr (LCase (paravalue), fstr) <> 0 Then
Paravalue = Replace (Paravalue, Fstr, Strftoasc (FSTR), 1,-1, vbTextCompare)
End If
Lstr = Ibad (i) & Strbad
If InStr (LCase (paravalue), lstr) <> 0 Then
Paravalue = Replace (Paravalue, Lstr, Strftoasc (LSTR), 1,-1, vbTextCompare)
End If
Next
Next
Checkrequest = Paravalue
End Function
' ============================================
' first character converted to HTML code
' ============================================
Function Strftoasc (ByVal strvalue)
Dim strtemp
strtemp = strvalue
If strtemp = "" Then
STRFTOASC = ""
Exit Function
End If
strtemp = "&#" & Asc (Left (strtemp, 1)) & ";" & Right (strtemp, Len (strtemp)-1)
STRFTOASC = strtemp
End Function
%>