asp防sql注入与文本框防sql注入的代码_Asp编程

asp防sql注入与文本框防sql注入的代码: 发布时间：2020-10-31编辑：脚本学堂

分享下asp中防止sql注入的几段代码，同时提供了文本框内容防止sql注入的实现代码，有需要的朋友参考下。

本节内容：
防止sql注入的asp代码

一，防注入

复制代码代码示例:

<%
'-过滤危险字符，防止sql注入
dim   sql_injdata
SQL_injdata   =   "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inj   =   split(SQL_Injdata,"|")

If   Request.QueryString<>""   Then
For   Each   SQL_Get   In   Request.QueryString
For   SQL_Data=0   To   Ubound(SQL_inj)
if   instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0   Then
Response.Write   "<Script   Language=javascript>alert('SQL通用防注入系統提示,請不要在參數中包含非法字符嘗試注入！');history.back(-1)</Script>"
Response.end
end   if
next
Next
End   If
If   Request.Form<>""   Then
For   Each   Sql_Post   In   Request.Form
For   SQL_Data=0   To   Ubound(SQL_inj)
if   instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0   Then
Response.Write   "<Script   Language=javascript>alert('SQL通用防注入系統提示,請不要在參數中包含非法字符嘗試注入');history.back(-1)</Script>"
Response.end
end   if
next
next
end   if
%>

二，处理SQL注入的函数

复制代码代码示例:

Function   SafeReplace(ParaName)
'---   传入参数   ---
'ParaName:参数名称-字符型，
Dim   Paravalue
Paravalue=LCase(Trim(ParaName))

Paravalue=Replace(Paravalue,"select","")
Paravalue=Replace(Paravalue,"insert","")
Paravalue=Replace(Paravalue,"updata","")
Paravalue=Replace(Paravalue,"addnew","")
Paravalue=Replace(Paravalue,"delete","")
Paravalue=Replace(Paravalue,"order","")
Paravalue=Replace(Paravalue,"and","")
Paravalue=Replace(Paravalue,"or","")
Paravalue=Replace(Paravalue,"exec","")
Paravalue=Replace(Paravalue,"--","")
Paravalue=Replace(Paravalue,"-","")
Paravalue=Replace(Paravalue,";","")
Paravalue=Replace(Paravalue,"%","")
Paravalue=Replace(Paravalue,"<","")
Paravalue=Replace(Paravalue,">","")
Paravalue=Replace(Paravalue,"(","")
Paravalue=Replace(Paravalue,")","")
Paravalue=Replace(Paravalue,"window.open","")
Paravalue=Replace(Paravalue,"window.close","")
Paravalue=Replace(Paravalue,"while(1)","")
Paravalue=Replace(Paravalue,"script","")
Paravalue=Replace(Paravalue,"'","")
Paravalue=Replace(Paravalue,chr(34),"")
Paravalue=Replace(Paravalue,chr(39),"")

SafeReplace=Paravalue
End   function

Function   SafeRequest(ParaName,ParaType)
     '---   传入参数   ---
     'ParaName:参数名称-字符型
     'ParaType:参数类型-数字型(1表示以上参数是数字，0表示以上参数为字符)
     Dim   Paravalue
     Paravalue=Request(ParaName)
     If   ParaType=1   then
'添加非空判断Paravalue=replace(Paravalue,"-","")
If   Paravalue=""   then
'Response.write   "参数"   &   ParaName   &   "不能为空！"
   Response.Write("<script   language='javascript1.2'>history.go(-1)</script>")
Response.end
elseIf   not   isNumeric(Paravalue)   then
'Response.write   "参数"   &   ParaName   &   "必须为数字型！"
   Response.Write("<script   language='javascript1.2'>history.go(-1)</script>")
Response.end
End   if
     Else
Paravalue=replace(Paravalue,"'","''")
     End   if
     SafeRequest=Paravalue
End   function

三，反处理htmlencode的代码

复制代码代码示例:

Function   HTMLDecode(strEncode)   

 strEncode=LCase(strEncode)   

 strEncode=Replace(strEncode,"&amp;","&")   

 strEncode=Replace(strEncode,"&lt;","<")   

 strEncode=Replace(strEncode,"&gt;",">")   

 strEncode=Replace(strEncode,"&quot;",Chr(34))   

 strEncode=Replace(strEncode,"<br>","/r/n")   

 strEncode=Replace(strEncode,"&nbsp;","   ")   

 HTMLDecode   =   strEncode   

End   Function

四，去掉html标签的正则

复制代码代码示例:

Function   nohtml(str)   

 dim   re   

 Set   re=new   RegExp   

 re.IgnoreCase   = true   

 re.Global=True

 re.Pattern="(/<.[^/<]*/>)"   

 str=re.replace(str,"   ")   

 re.Pattern="(/<//[^/<]*/>)"   

 str=re.replace(str,"   ")   

 nohtml=str   

 set   re=nothing   

End function

上一篇：asp防止js或sql注入的方法详解
下一篇：ASP脚本限制某IP段访问的代码

与 asp防sql注入与文本框防sql注入的代码有关的文章

本文标题：asp防sql注入与文本框防sql注入的代码
本页链接：http://www.jb200.com/article/15121.html

浏览排行

栏目分类

热点文章

asp防sql注入与文本框防sql注入的代码