sql 注入后的处理办法
1、varchar 类型的直接replace一下就ok了。
如:"update [表] set 字段=replace(字段, '内容', '替换后内容')"
2、text字段,就要麻烦一下(超过8000就要另想办法了)
"update [表] set 字段=replace(cast(字段 as varchar(8000)) ,'内容','替换后内容')"
3、有时有特殊符号,如 %,可以用下列的方法处理一下
update [表] set 字段=replace(字段, char(37), '')
或者
update [表] set 字段=replace(CONVERT(varchar(8000), 字段), char(37), '')
关键是要加屏蔽的语句
'**************************************************
'函数名:ReplaceBadChar
'作 用:过滤非法的SQL字符
'参 数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
Function ReplaceBadChar(strChar)
If strChar = "" Or IsNull(strChar) Then
ReplaceBadChar = ""
Exit Function
End If
Dim strBadChar, arrBadChar, tempChar, i
strBadChar = "+,',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & "," & Chr(0) & ",--"
arrBadChar = Split(strBadChar, ",")
tempChar = strChar
For i = 0 To UBound(arrBadChar)
tempChar = Replace(tempChar, arrBadChar(i), "")
Next
tempChar = Replace(tempChar, "@@", "@")
ReplaceBadChar = tempChar
End Function
'**************************************************
'函数名:ReplaceUrlBadChar
'作 用:过滤Url中非法的SQL字符
'参 数:strChar-----要过滤的字符
'返回值:过滤后的字符
'**************************************************
Function ReplaceUrlBadChar(strChar)
If strChar = "" Or IsNull(strChar) Then
ReplaceUrlBadChar = ""
Exit Function
End If
Dim strBadChar, arrBadChar, tempChar, i
strBadChar = "+,',(,),<,>,[,],{,},\,;," & Chr(34) & "," & Chr(0) & ",--"
arrBadChar = Split(strBadChar, ",")
tempChar = strChar
For i = 0 To UBound(arrBadChar)
tempChar = Replace(tempChar, arrBadChar(i), "")
Next
tempChar = Replace(tempChar, "@@", "@")
ReplaceUrlBadChar = tempChar
End Function
'=================================================
'函数名:ReplaceBadUrl
'作 用:过滤非法Url地址函数
'=================================================
Function ReplaceBadUrl(ByVal strContent)
regEx.Pattern =
"(a|%61|%41)(d|%64|%44)(m|%6D|4D)(i|%69|%49)(n|%6E|%4E)(\_|%5F)(.*?)(.|%2E)(a|%61|%41)(s|%73|%53)(p|%70|%50)"
Set Matches = regEx.Execute(strContent)
For Each Match In Matches
strContent = Replace(strContent, Match.value, "")
Next
regEx.Pattern = "(u|%75|%55)(s|%73|%53)(e|%65|%45)(r|%72|%52)(\_|%5F)(.*?)(.|%2E)(a|%61|%41)(s|%73|%53)(p|%70|%50)"
Set Matches = regEx.Execute(strContent)
For Each Match In Matches
strContent = Replace(strContent, Match.value, "")
Next
ReplaceBadUrl = strContent
End Function
'**************************************************
'函数名:CheckBadChar
'作 用:检查是否包含非法的SQL字符
'参 数:strChar-----要检查的字符
'返回值:True ----字符合法
' False ----字符不合法
'**************************************************
Function CheckBadChar(strChar)
Dim strBadChar, arrBadChar, i
strBadChar = "@@,+,',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & ",--"
arrBadChar = Split(strBadChar, ",")
If strChar = "" Then
CheckBadChar = False
Else
For i = 0 To UBound(arrBadChar)
If InStr(strChar, arrBadChar(i)) > 0 Then
CheckBadChar = False
Exit Function
End If
Next
End If
CheckBadChar = True
End Function
Function CheckUserBadChar(strChar)
Dim strBadChar, arrBadChar, i
strBadChar = "',%,^,&,?,(,),<,>,[,],{,},/,\,;,:," & Chr(34) & ",*,|,"",.,#"
arrBadChar = Split(strBadChar, ",")
If strChar = "" Then
CheckUserBadChar = False
Else
For i = 0 To UBound(arrBadChar)
If InStr(strChar, arrBadChar(i)) > 0 Then
CheckUserBadChar = False
Exit Function
End If
Next
End If
CheckUserBadChar = True
End Function
上一篇:ASP清除缓存,防止后退
下一篇:ASP常用过滤字符函数
讨论数量:0
