Copy Code code as follows:
' Get parameter values
Function GetForm (Element,ftype)
Select Case Ftype
Case "Get"
Getform=trim (Request. QueryString (Element))
Case "POST"
Getform=trim (Request. Form (Element))
Case "both"
If Isnul (request. QueryString (Element)) then Getform=trim (request. Form (Element) Else Getform=trim (request. QueryString (Element))
End Select
Getform=replace (GETFORM,CHR (34), "" ")
Getform=replace (GETFORM,CHR (39), "'")
End Function
' The main function is to get the parameter value, which is much safer than using request (' element ') directly.
' Filter Parameters
Function Filterpara (ByVal Para)
Filterpara=preventsqlin (CHECKXSS (Para))
End Function
Function Preventsqlin (content)
Dim sqlstr,sqlarray,i,spestr
Sqlstr= "<|>|%| %27| ' | ' |;| *|and|exec|dbcc|alter|drop|insert|select|update|delete|count|master|truncate|char|declare|where|set|declare| MID|CHR "
If Isnul (content) then Exit Function
Sqlarray=split (sqlstr, "|")
For I=lbound (Sqlarray) To UBound (Sqlarray)
If InStr (LCase (content), Sqlarray (i)) <>0 then
Select Case Sqlarray (i)
Case "<": Spestr= "<"
Case ">": spestr= ">"
Case "'", "" ": spestr=" ""
' Case '; ": spestr=";
Case Else:spestr= ""
End Select
Content=replace (Content,sqlarray (i), spestr,1,-1,1)
End If
Next
Preventsqlin=content
End Function
' The above parameter filter letter is mainly to prevent SQL injection, strengthen the protection.
