The function used to prevent SQL injection attacks can be used directly, but we will not use it, but we need to enhance our safety awareness.
Copy Code code as follows:
'==========================
' Filter the SQL in the submission form
'==========================
function Forsqlform ()
Dim fqys,errc,i,items
Dim Nothis (18)
Nothis (0) = "NET user"
Nothis (1) = "xp_cmdshell"
Nothis (2) = "/add"
Nothis (3) = "Exec%20master.dbo.xp_cmdshell"
Nothis (4) = "Net localgroup Administrators"
Nothis (5) = "Select"
Nothis (6) = "Count"
Nothis (7) = "ASC"
Nothis (8) = "char"
Nothis (9) = "Mid"
Nothis (10) = "'"
Nothis (11) = ":"
Nothis (12) = "" "
Nothis (+) = "Insert"
nothis = "Delete"
Nothis = "Drop"
Nothis = "Truncate"
Nothis (a) = "from"
Nothis (18) = "%"
' Nothis (19) = "@"
Errc=false
For i= 0 To UBound (nothis)
For each of the items in request. Form
If InStr (Request. Form (items), nothis (i)) <>0 then
Response.Write ("<div>")
Response.Write ("The information you have filled out:" & server. HTMLEncode (Request. Form (items)) & "<br> contains illegal characters:" & Nothis (i))
Response.Write ("</div>")
Response.Write ("Sorry, the information you filled out contains illegal characters!") <a href= "" # "onclick=" "History.back ()" "> Return </a>")
Response. End ()
End If
Next
Next
End Function
'==========================
' Filter the SQL in the query
'==========================
function Forsqlinjection ()
Dim fqys,errc,i
Dim nothis (19)
Fqys = Request. ServerVariables ("Query_string")
Nothis (0) = "NET user"
Nothis (1) = "xp_cmdshell"
Nothis (2) = "/add"
Nothis (3) = "Exec%20master.dbo.xp_cmdshell"
Nothis (4) = "Net localgroup Administrators"
Nothis (5) = "Select"
Nothis (6) = "Count"
Nothis (7) = "ASC"
Nothis (8) = "char"
Nothis (9) = "Mid"
Nothis (10) = "'"
Nothis (11) = ":"
Nothis (12) = "" "
Nothis (+) = "Insert"
nothis = "Delete"
Nothis = "Drop"
Nothis = "Truncate"
Nothis (a) = "from"
Nothis (18) = "%"
Nothis (19) = "@"
Errc=false
For i= 0 To UBound (nothis)
If InStr (Fqys,nothis (i)) <>0 then
Errc=true
End If
Next
If ERRC Then
Response.Write "Query information contains illegal characters!" <a href= "" # "onclick=" "History.back ()" "> Return </a>"
Response.End
End If
End Function