·以下是防sql注入的函数,用它把在页间传递的数据过滤,注入问题可以完全避免包括现在一些流行的注入工具都不能得逞: ------------------------------------------- '-----------------防注入函数: Function SafeRequest(ParaName,ParaType) '--- 传入参数 --- 'ParaName:参数名称-字符型 'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符) Dim ParaValue ParaValue=Request(ParaName) If ParaType=1 then If not isNumeric(ParaValue) then Response.write "参数" & ParaName & "必须为数字型!" Response.end End if Else ParaValue=trim(ParaValue) ParaValue=replace(ParaValue,"<","<") ParaValue=replace(ParaValue,">",">") ParaValue=replace(ParaValue,"'","") ParaValue=replace(ParaValue,"and","") ParaValue=replace(ParaValue,vbCrLf&vbCrlf,"</p><p>") ParaValue=replace(ParaValue,vbCrLf,"<br/>") ParaValue=replace(ParaValue,"&#","&#") ParaValue=replace(ParaValue,"javascript","/javascript") ParaValue=replace(ParaValue,"cookie","/cookie") ParaValue=replace(ParaValue,"document","/document") 'ParaValue=replace(ParaValue," ","??") End if SafeRequest=ParaValue End function ------------------------------------------- 例子:如果你的表单传递一个值为?name=abc&age=20到login.asp页下,在login.asp页里加载以上函数后 用:SafeRequest("name",0)来获取name的值 用:SafeRequest("age",1) 来获取age的值 明白了吗?
eg.
<script>
var x="cdf<asf";
if (x.indexOf("<")!=0)
alert("police!!freeze!!")
</script>
不要直接到提交上来的参数直接的跟SQL语句连接起来。。要不你跟我加我QQ,咱也是用JS写ASP的。QQ:65827536
-------------------------------------------
'-----------------防注入函数:
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符) Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "参数" & ParaName & "必须为数字型!"
Response.end
End if
Else
ParaValue=trim(ParaValue)
ParaValue=replace(ParaValue,"<","<")
ParaValue=replace(ParaValue,">",">")
ParaValue=replace(ParaValue,"'","")
ParaValue=replace(ParaValue,"and","")
ParaValue=replace(ParaValue,vbCrLf&vbCrlf,"</p><p>")
ParaValue=replace(ParaValue,vbCrLf,"<br/>")
ParaValue=replace(ParaValue,"&#","&#")
ParaValue=replace(ParaValue,"javascript","/javascript")
ParaValue=replace(ParaValue,"cookie","/cookie")
ParaValue=replace(ParaValue,"document","/document")
'ParaValue=replace(ParaValue," ","??")
End if
SafeRequest=ParaValue
End function
-------------------------------------------
例子:如果你的表单传递一个值为?name=abc&age=20到login.asp页下,在login.asp页里加载以上函数后
用:SafeRequest("name",0)来获取name的值
用:SafeRequest("age",1) 来获取age的值
明白了吗?