如果已经是大量直接使用Request方法来获取参数,要另写个过滤函数来代替Request方法,改动面积就大了而且怕遗漏,那么就在需要检查的页面include该方法进来执行了。
建议把调用该方法检查的位置放在数据库打开函数里面。因为注入是在数据库上发生的
如:
Sub DbOpen()
QSqlSafe()
FSqlSafe()
...
...
Conn.Open()
End Sub
1'检查QueryString
2Sub QSqlSafe()
3 Dim BadSql, ArrBad, GetQ, i
4 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
5 ArrBad = Split(BadSql,"|")
6 If Request.QueryString <>"" Then
7 For Each GetQ In Request.QueryString
8 For i = 0 To Ubound(ArrBad)
9 If Instr(Request.QueryString(GetQ),ArrBad(i)) > 0 Then
10 Response.Write "forbid"
11 Response.End()
12 End if
13 Next
14 Next
15 End If
16End Sub
17
18'检查Form表单
19Sub FSqlSafe()
20 Dim BadSql, ArrBad, GetF, i
21 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
22 ArrBad = Split(BadSql,"|")
23 If Request.Form <>"" Then
24 For Each GetF In Request.QueryString
25 For i = 0 To Ubound(ArrBad)
26 If Instr(Request.QueryString(GetF),ArrBad(i)) > 0 Then
27 Response.Write "forbid"
28 Response.End()
29 End if
30 Next
31 Next
32 End If
33End Sub
34
2Sub QSqlSafe()
3 Dim BadSql, ArrBad, GetQ, i
4 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
5 ArrBad = Split(BadSql,"|")
6 If Request.QueryString <>"" Then
7 For Each GetQ In Request.QueryString
8 For i = 0 To Ubound(ArrBad)
9 If Instr(Request.QueryString(GetQ),ArrBad(i)) > 0 Then
10 Response.Write "forbid"
11 Response.End()
12 End if
13 Next
14 Next
15 End If
16End Sub
17
18'检查Form表单
19Sub FSqlSafe()
20 Dim BadSql, ArrBad, GetF, i
21 BadSql = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
22 ArrBad = Split(BadSql,"|")
23 If Request.Form <>"" Then
24 For Each GetF In Request.QueryString
25 For i = 0 To Ubound(ArrBad)
26 If Instr(Request.QueryString(GetF),ArrBad(i)) > 0 Then
27 Response.Write "forbid"
28 Response.End()
29 End if
30 Next
31 Next
32 End If
33End Sub
34