主题:  大家一般用什么样的函数防止SQL注入

死不了
职务:普通成员
等级:1
金币:0.0
发贴:89
注册:2004/5/8 10:37:12
#12005/5/12 15:30:21
Function SafeRequest(ParaName)
Dim Paravalue
Paravalue=Request(ParaName)
if IsNumeric(Paravalue) = True then
SafeRequest=Paravalue
exit Function
elseIf
Instr(LCase(Paravalue),"select ") > 0
or Instr(LCase(Paravalue),"insert ") > 0
or Instr(LCase(Paravalue),"delete from") > 0
or Instr(LCase(Paravalue),"count(") > 0
or Instr(LCase(Paravalue),"drop table") > 0
or Instr(LCase(Paravalue),"update ") > 0
or Instr(LCase(Paravalue),"truncate ") > 0
or Instr(LCase(Paravalue),"asc(") > 0
or Instr(LCase(Paravalue),"mid(") > 0
or Instr(LCase(Paravalue),"char(") > 0
or Instr(LCase(Paravalue),"xp_cmdshell") > 0
or Instr(LCase(Paravalue),"exec master") > 0
or Instr(LCase(Paravalue),"net localgroup administrators") > 0
or Instr(LCase(Paravalue)," and ") > 0
or Instr(LCase(Paravalue),"net user") > 0
or Instr(LCase(Paravalue)," or ") > 0 then

Response.Write "<script language='javascript'>"
Response.Write "alert('非法的请求!');" '发现SQL注入攻击提示信息
Response.Write "location.href='http://www.wz114.com/';" '发现SQL注入攻击转跳网址
Response.Write "<script>"
Response.end
else
SafeRequest=Paravalue
End If
End function

用SafeReuest替换Request,这个函数还有什么需要补充的?

另外大家都用什么样的函数防止恶意代码,能否交流一下?



Juven
职务:普通成员
等级:2
金币:1.0
发贴:474
注册:2002/2/27 15:43:49
#22005/5/22 19:39:39
好好学学:http://www.it365cn.com/show.asp?id=1333