'=====================================================================
'--- 參數說明---asp防sql注入
'ParaName:參數名稱--字符型
'ParaType:參數類型-數字型(0表示為數值型,其它表示字符型)
'=======================================================================
Function rq(ParaName,ParaType)
Dim ParaValue
ParaValue=trim(Request(ParaName))
If ParaType=0 then
If ParaValue="" or not isNumeric(ParaValue) then
response.Write("<Script Language='javascript'>alert('參數" & ParaName & "必須為數值型!');window.history.back(-1)</Script>")
response.End()
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
rq=ParaValue
End function
'--- 參數說明---asp防sql注入
'ParaName:參數名稱--字符型
'ParaType:參數類型-數字型(0表示為數值型,其它表示字符型)
'=======================================================================
Function rq(ParaName,ParaType)
Dim ParaValue
ParaValue=trim(Request(ParaName))
If ParaType=0 then
If ParaValue="" or not isNumeric(ParaValue) then
response.Write("<Script Language='javascript'>alert('參數" & ParaName & "必須為數值型!');window.history.back(-1)</Script>")
response.End()
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
rq=ParaValue
End function
'=====================================================================
'--- 參數說明---asp防sql注入
'ParaName:參數名稱--字符型
'ParaType:參數類型-數字型(0表示為數值型,其它表示字符型)
'=======================================================================
Function rq(ParaName,ParaType)
Dim ParaValue
ParaValue=trim(Request(ParaName))
dim str,str1,str2
str=""
str1="<Script Language='javascript'>alert('參數"
str2="');window.history.back(-1)</Script>"
Select case ParaType
Case 0 '//可以為空,或是為數值型
IF ParaValue<>"" and not isNumeric(ParaValue) then
str=str1 & ParaName & "必須為數值型!" & str2
response.Write(str):response.End()
end if
Case 1 '//不能為空,只允許是數值型
IF ParaValue="" or not isNumeric(ParaValue) then
str=str1 & ParaName & "必須為數值型!" & str2
response.Write(str):response.End()
end if
Case 2 '//可以為空,或是日期型
IF ParaValue<>"" and not isdate(ParaValue) then
str=str1 & ParaName & "必須為日期型!" & str2
response.Write(str):response.End()
end if
Case 3 '//如果要求要將'換成''號處理的
ParaValue=replace(ParaValue,"'","''")
Case else'//字符串的處理,如果是傳給存儲過程或是帶參數的SQL執行時,不需要進行替換處理
ParaValue=ParaValue
End Select
rq=ParaValue
End function
'--- 參數說明---asp防sql注入
'ParaName:參數名稱--字符型
'ParaType:參數類型-數字型(0表示為數值型,其它表示字符型)
'=======================================================================
Function rq(ParaName,ParaType)
Dim ParaValue
ParaValue=trim(Request(ParaName))
dim str,str1,str2
str=""
str1="<Script Language='javascript'>alert('參數"
str2="');window.history.back(-1)</Script>"
Select case ParaType
Case 0 '//可以為空,或是為數值型
IF ParaValue<>"" and not isNumeric(ParaValue) then
str=str1 & ParaName & "必須為數值型!" & str2
response.Write(str):response.End()
end if
Case 1 '//不能為空,只允許是數值型
IF ParaValue="" or not isNumeric(ParaValue) then
str=str1 & ParaName & "必須為數值型!" & str2
response.Write(str):response.End()
end if
Case 2 '//可以為空,或是日期型
IF ParaValue<>"" and not isdate(ParaValue) then
str=str1 & ParaName & "必須為日期型!" & str2
response.Write(str):response.End()
end if
Case 3 '//如果要求要將'換成''號處理的
ParaValue=replace(ParaValue,"'","''")
Case else'//字符串的處理,如果是傳給存儲過程或是帶參數的SQL執行時,不需要進行替換處理
ParaValue=ParaValue
End Select
rq=ParaValue
End function
http://www.secnumen.com/technology/anquanwenzhai.htm
代码
Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", """""", 1, -1, 1)
Str = Replace(Str,"<","<", 1, -1, 1)
Str = Replace(Str,">",">", 1, -1, 1)
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "=", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "execute", 1, -1, 1)
Str = Replace(Str, "exec", "exec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13)," 50.", 1, -1, 1)
CheckStr = Replace(Str,"'","''", 1, -1, 1)
End Function
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", """""", 1, -1, 1)
Str = Replace(Str,"<","<", 1, -1, 1)
Str = Replace(Str,">",">", 1, -1, 1)
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "=", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "execute", 1, -1, 1)
Str = Replace(Str, "exec", "exec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13)," 50.", 1, -1, 1)
CheckStr = Replace(Str,"'","''", 1, -1, 1)
End Function
最好的辦法是使用存儲過程或是參數化sql.這樣才可以完全防止注入.