<% Dim strTemp strTemp = "http://"& Request.ServerVariables("SERVER_NAME") If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT") strTemp = strTemp & Request.ServerVariables("URL") If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString) end ifIf Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then Response.Write "<script language=JavaScript>{window.alert('错误的请求!类式于SQL注入攻击,被服务器拒绝');window.history.back();}</script>" End If %> 参考一下ASP的,我也是最近在学PHP,有些不懂,你转换一下!
Dim strTemp
strTemp = "http://"& Request.ServerVariables("SERVER_NAME") If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT") strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then
strTemp = strTemp & "?" & Trim(Request.QueryString)
end ifIf Instr(strTemp,"select%20") or Instr(strTemp,"insert%20") or Instr(strTemp,"count(") or Instr(strTemp,"drop%20table") or Instr(strTemp,"update%20") or Instr(strTemp,"truncate%20") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec%20master") or Instr(strTemp,"net%20localgroup%20administrators") or Instr(strTemp,"net%20user") or Instr(strTemp,"'") or Instr(strTemp,"%20or%20") then
Response.Write "<script language=JavaScript>{window.alert('错误的请求!类式于SQL注入攻击,被服务器拒绝');window.history.back();}</script>"
End If %>
参考一下ASP的,我也是最近在学PHP,有些不懂,你转换一下!
数字型参数直接一个isNumeric检测一下就行了.
日期型isDate
字符型,把单引号替换为两个单引号: xx=replace(xx,"'","''")就行了