Anti-injection <%
' ASP anti-injection Solution ' special page processing ' because some pages are streamed (such as a form with file uploads) ' If a single use of a poor form object is going to go wrong ' so get these pages filtered out, use SQL ("detected string") in the page at the same time "garbage pig Zero @new57. com ' Http://blog.csdn.net/cfaq
' Source Download Http://www.new57.com/softback/sql.rar
' Place this page with the include method on the head so that all pages can be invoked, such as include in conn.asp ' if a streaming upload page adds the page to the table page to prevent form conflicts
Dim N_no,n_noarray,req_qs,req_f,n_i,n_dbstr,conn,n_rs,n_userip,n_thispagen_userip = Request.ServerVariables (" Remote_addr ") N_thispage = LCase (Request.ServerVariables (" URL ")
N_no = "' |;| and|exec|insert|select|delete|update|count|*|%| Chr|mid|master|truncate|char|declare "' can modify its own suspect is injected operation string n_noarray = Split (LCase (N_no)," | ")
Call dbopen () call N_check_qs () call N_checkpage () call Dbclose ()
' Detects if the current page is a special page is called N_check_form () sub N_checkpage ()
Set n_rs = Server. CreateObject ("ADODB.") RecordSet ") n_rs.open" select * from page where spcpage like '% ' &N_thispage& '% ' ", conn,1,1 if (n_rs.eof and n_rs. BOF) then call N_check_form () End If n_rs. Close () Set n_rs = Nothing
End Sub
' Detect given String sub N_sql (Agsql) ' Here is not logging the database, if you want to change the N_check "CUS", Req_qs, "other" End Sub
' Detect Request.formsub n_check_form () If request.form<> ' "Then for each req_f in Request.Form N_check M (req_f), "POST" Next End IfEnd Sub
' Detect Request.querystringsub N_check_qs () If request.querystring<> ' "Then for each Req_qs in Request.QueryString N_ Check req_qs,request.querystring (REQ_QS), ' Get ' Next End IfEnd Sub
' Detect sub N_check (Ag,agsql,sqltype) for n_i=0 to Ubound (N_noarray) If Instr (LCase (Agsql), N_noarray (n_i)) <>0 Call N_regsql (ag,agsql,sqltype) Response.Write ' MO ' End If NextEnd Sub
' Record and stop output ' AG name ' agsql content ' SqlType type sub N_regsql (Ag,agsql,sqltype) if (sqltype<> "other") then Conn.execute ("Insert Into Sqlin (SQLIN_IP,SQLIN_WEB,SQLIN_FS,SQLIN_CS,SQLIN_SJ) VALUES (' &N_userip& ', ' &N_thispage& ' , ' &sqltype& ', ' &ag& ', ' ' &agsql& '] ') End If Response.Write "<script language= Javascript>alert (' Please do not include illegal characters in the parameter attempt to inject! ;</script> "Response.Write" <span style= ' font-size:12px ' > Illegal operation! The system does the following record ↓<br> "Response.Write" Operation IP: "&N_userip&" <br> "Response.Write" Operation time: "&Now&" < Br> "Response.Write" Action page: "&N_thispage&" <br> "Response.Write" Submission Method: "&sqltype&" <br> " Response.Write "Submit Parameters:" &ag& "<br>" Response.Write "Submit data:" &agsql& </span> " Response.endend Sub
Sub dbopen () n_dbstr= "dbq=" +server.mappath ("Sql.mdb") + ";D efaultdir=;D river={microsoft Access DRIVER (*.mdb)};" Set conn=server.createobject ("ADODB. CONNECTION ") Conn.Open n_dbstrend SUB
Sub dbclose () conn.close Set Conn = NothingEnd sub%>