<%
' Option Explicit
Dim sql_injdata,sql_inj,sql_get,sql_data,sql_post
Dim strtemp
Sql_injdata = "' |;| And|exec|insert|select|delete|update|count|*|%20from|chr|mid|master|truncate|char|declare "
Sql_inj = Split (Sql_injdata, "|")
If request.querystring<> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (Sql_inj)
If InStr (Request.QueryString (Sql_get), Sql_inj (sql_data)) >0 Then
Response.Write "Parameter Error! "
Response. End ()
End If
Next
Next
End If
Strtemp=request.servervariables ("SERVER_NAME") &request.servervariables ("url") & "?" &request. QueryString
Strtemp=lcase (strtemp)
If InStr (strtemp, "select%20") or InStr (strtemp, "insert%20") or InStr (strtemp, "Delete%20from") or InStr (strtemp, "Count (") or InStr (strtemp," drop%20table ") or InStr (strtemp," update%20 ") or InStr (strtemp," truncate%20 ") or InStr (strtemp," ASC (") or InStr (strtemp, Mid () or InStr (strtemp," char (") or InStr (strtemp," xp_cmdshell ") or InStr (strtemp," exec% ") 20master ") or InStr (strtemp," Net%20user ") or InStr (strtemp,"%20or%20 ") or InStr (strtemp," ' ") or InStr (strtemp,"%20 ") or InStr (strtemp, "" ") or InStr (strtemp," "") or InStr (strtemp, "" ") or InStr (strtemp,": ") or InStr (strtemp,": ") or InStr (str Temp, ";") or InStr (strtemp, "; ") or InStr (strtemp,", ") or InStr (strtemp,", ") or InStr (strtemp,"%27 ") Then
Response.Write "Parameter Error! "
Response. End ()
End If
function Replace_text (fstring)
If IsNull (fstring) Then
Replace_text= ""
Exit function
Else
Fstring=trim (fstring)
Fstring=replace (fstring, "'", "" ")
Fstring=replace (fstring, ";", ";")
Fstring=replace (Fstring, "--", "-")
Fstring=replace (Fstring, "and", "")
' Fstring=replace (fstring, "or", "")
Fstring=replace (fstring, "select", "")
Fstring=replace (fstring, INSERT, "")
Fstring=replace (fstring, "exec", "")
Fstring=replace (fstring, "delete", "")
Fstring=replace (fstring, "Update", "")
Fstring=replace (fstring, "Count", "")
Fstring=replace (fstring, "mid", "")
Fstring=replace (fstring, "truncate", "")
' Fstring=replace (fstring, "%", "")
Fstring=replace (fstring, "Chr", "")
Fstring=replace (fstring, "Master", "")
Fstring=replace (fstring, "char", "")
Fstring=replace (fstring, "declare", "")
Fstring=replace (fstring, "*", "")
Fstring=replace (fstring, "from", "")
Fstring=server.htmlencode (fstring)
Replace_text=fstring
End If
End Function
Function Saferequest (Paraname)
Dim Paravalue
Paravalue=request (Paraname)
If IsNumeric (Paravalue) Then
Saferequest=paravalue
Exit Function
Else
Paravaluetemp=lcase (paravalue)
tempvalue= Select |insert |delete from| ' | Count (|drop table|update |truncate |asc (|mid |char (|xp_cmdshell|exec master|net localgroup user| And|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare "
Temps=split (tempvalue," | ")
for Mycount=0 to UBound (temps)
if Instr (Paravaluetemp,trim (temps)) > 0 mycount
Response.Write "Parameter Error! '
response.end
End If
Next
Saferequest=paravalue
End If
End Function
Function Saferequestform (Paraname)
Dim Paravalue
Paravalue=request.form (Paraname)
If IsNumeric (Paravalue) Then
Saferequestform=paravalue
Exit Function
Else
Paravaluetemp=lcase (Paravalue)
Tempvalue= "Select |insert |delete from| ' | Count (|drop table|update |truncate |asc (|mid |char (|xp_cmdshell|exec master|net, localgroup administrators|net user| And|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare "
Temps=split (Tempvalue, "|")
For Mycount=0 to UBound (temps)
If Instr (Paravaluetemp,trim (Temps (mycount)) > 0 Then
Response.Write "Parameter Error! "
Response.End
End If
Next
Saferequestform=paravalue
End If
End Function
Sub Check_url ()
If Instr (Lcase (Request.ServerVariables ("Http_referer")), Lcase (request. ServerVariables ("SERVER_NAME")) =0 Then
Response.Write "Parameter Error! "
Response. End ()
End If
End Sub
Sub check_id (ID)
If Len (ID) >0 Then
If Len (ID) >8 Then
Response.Write "Parameter Error! "
Response.End ()
End If
If IsNumeric (ID) =false Then
Response.Write "Parameter Error! "
Response.End ()
End If
Else
Response.Write "Parameter Error! "
Response.End ()
End If
End Sub
Function HTMLEncode (fstring)
If not IsNull (fstring) Then
fstring = replace (fstring, ">", ">")
fstring = replace (fstring, "<", "<")
fstring = Replace (fstring, CHR (), " ")
fstring = Replace (fstring, CHR (9), " ")
fstring = Replace (fstring, CHR (), """)
fstring = Replace (fstring, CHR (), "& #39;")
fstring = Replace (fstring, CHR (13), "")
fstring = Replace (fstring, CHR (a) & CHR (a), "</P><P>")
fstring = Replace (fstring, CHR (), "<BR>")
' Fstring=chkbadwords (fstring)
HTMLEncode = fstring
End If
End Function
Function Checknum (numstr)
dim result
if isnull (NUMSTR) or IsEmpty (NUMSTR) or (Not IsNumeric ( NUMSTR)) then
response. Redirect "http://" &request. ServerVariables ("SERVER_NAME") & "/error.asp"
else
checknum = numstr
end If
End Function
%>