常用sql防注入过滤函数

作者:袖梨 2022-07-02


<%
'option explicit
dim sql_injdata,sql_inj,sql_get,sql_data,sql_post
dim strtemp


SQL_injdata = "'|;|and|exec|insert|select|delete|update|count|*|%20from|chr|mid|master|truncate|char|declare"
SQL_inj = split(SQL_Injdata,"|")


If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
  For SQL_Data=0 To Ubound(SQL_inj)
    if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
     Response.Write "参数错误!"
   response.End()
    end if
  next
Next
End If


strtemp=request.servervariables("server_name")&request.servervariables("url")&"?"&request.QueryString
strtemp=lcase(strtemp)
if instr(strtemp,"select%20") or instr(strtemp,"insert%20") or instr(strtemp,"delete%20from") or instr(strtemp,"count(") or instr(strtemp,"drop%20table") or instr(strtemp,"update%20") or instr(strtemp,"truncate%20") or instr(strtemp,"asc(") or instr(strtemp,"mid(") or instr(strtemp,"char(") or instr(strtemp,"xp_cmdshell") or instr(strtemp,"exec%20master") or instr(strtemp,"net%20user") or instr(strtemp,"%20or%20") or instr(strtemp,"'") or instr(strtemp,"%20") or instr(strtemp,"""") or instr(strtemp,"“") or instr(strtemp,"”") or instr(strtemp,":") or instr(strtemp,": ") or instr(strtemp,";") or instr(strtemp,"; ") or instr(strtemp,",") or instr(strtemp,", ")  or instr(strtemp,"%27")  then
 response.write "参数错误!"
 response.End()
end if


function Replace_Text(fString)
if isnull(fString) then
Replace_Text=""
exit function
else
fString=trim(fString)
fString=replace(fString,"'","’")
fString=replace(fString,";",";")
fString=replace(fString,"--","—")
fString=replace(fString,"and","")
'fString=replace(fString,"or","")
fString=replace(fString,"select","")
fString=replace(fString,"insert","")
fString=replace(fString,"exec","")
fString=replace(fString,"delete","")
fString=replace(fString,"update","")
fString=replace(fString,"count","")
fString=replace(fString,"mid","")
fString=replace(fString,"truncate","")
'fString=replace(fString,"%","")
fString=replace(fString,"chr","")
fString=replace(fString,"master","")
fString=replace(fString,"char","")
fString=replace(fString,"declare","")
fString=replace(fString,"*","")
fString=replace(fString,"from","")
fString=server.htmlencode(fString)
Replace_Text=fString
end if 
end function

Function SafeRequest(ParaName)
Dim ParaValue
ParaValue=Request(ParaName)
if IsNumeric(ParaValue)  then
SafeRequest=ParaValue
exit Function

else
ParaValuetemp=lcase(ParaValue)
tempvalue="select |insert |delete from|'|count(|drop table|update |truncate  |asc(|mid(|char(|xp_cmdshell|exec master|net localgroup administrators|net user| and|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare"
temps=split(tempvalue,"|")
for mycount=0 to ubound(temps)
if  Instr(ParaValuetemp,trim(temps(mycount))) > 0 then
  response.write "参数错误!"
  response.end
end if
next
SafeRequest=ParaValue
end if
End function

Function SafeRequestform(ParaName)
Dim ParaValue
ParaValue=request.form(ParaName)
if IsNumeric(ParaValue)  then
SafeRequestform=ParaValue
exit Function
else
ParaValuetemp=lcase(ParaValue)
tempvalue="select |insert |delete from|'|count(|drop table|update |truncate  |asc(|mid(|char(|xp_cmdshell|exec master|net localgroup administrators|net user|  and|%20from|exec|select|delete|count|*|chr|mid|master|truncate|char|declare"
temps=split(tempvalue,"|")
for mycount=0 to ubound(temps)
if  Instr(ParaValuetemp,trim(temps(mycount))) > 0 then
  response.write "参数错误!"
  response.end
end if
next
SafeRequestform=ParaValue
end if
End function

Sub Check_url()
If Instr(Lcase(request.serverVariables("HTTP_REFERER")),Lcase(request.ServerVariables("SERVER_NAME")))=0 then
 response.write "参数错误!"

 response.End()
End if
End sub

Sub Check_ID(ID)
 If Len(ID)>0 then
  If Len(ID)>8 Then
   Response.write "参数错误!"
   Response.End()
  End If
  If IsNumeric(ID)=False Then
   Response.write "参数错误!"
   Response.End()
  End If 
 Else
   Response.write "参数错误!"
   Response.End() 
 END If
End Sub

Function HTMLEncode(fString)
If not isnull(fString) then
    fString = replace(fString, ">", ">")
    fString = replace(fString, "<", "<")

    fString = Replace(fString, CHR(32), " ")
    fString = Replace(fString, CHR(9), " ")
    fString = Replace(fString, CHR(34), """)
    fString = Replace(fString, CHR(39), "'")
    fString = Replace(fString, CHR(13), "")
    fString = Replace(fString, CHR(10) & CHR(10), "

")
    fString = Replace(fString, CHR(10), "
")

    'fString=ChkBadWords(fString)
    HTMLEncode = fString
End if
End function

function checkNum(numstr)
 dim result
 if isnull(numstr) or isempty(numstr) or (not isnumeric(numstr)) then
  response.Redirect "http://"&request.ServerVariables("SERVER_NAME")&"/error.asp"
 ELSE
  checkNum = numstr
 end if
end function
 %>

相关文章

精彩推荐