'提交信息转换HTML
function Replace_Text(fString)
if isnull(fString) then
Replace_Text=""
exit function
else
fString=trim(fString)
fString=replace(fString,"'","''")
fString=replace(fString,";",";")
fString=replace(fString,"--","—")
fString=server.htmlencode(fString)
Replace_Text=fString
end if
end function
'信息过滤
Function Replace_Text2(fString)
If Not IsNull(fString) Then
fString = trim(fString)
fString = replace(fString, ";", ";") '分号过滤
fString = replace(fString, "--", "——") '--过滤
fString = replace(fString, "%20", "") '特殊字符过滤
fString = replace(fString, "==", "") '==过滤
fString = replace(fString, ">", ">")
fString = replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ") '
fString = Replace(fString, CHR(9), " ") '
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'") '单引号过滤
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
fString = Replace(fString, CHR(10), "<BR> ")
Replace_Text = fString
End If
End Function
'过滤SQL非法字符
Function checkStr(Chkstr)
dim Str:Str=Chkstr
if isnull(Str) then
checkStr = ""
exit Function
else
Str=replace(Str,"'","")
Str=replace(Str,";","")
Str=replace(Str,"--","")
checkStr=Str
end if
End Function
'过滤(传递方式GET/POST/COOKIES)指定字符
'--------定义部份------------------
Dim XH_Post,XH_Get,XH_In,XH_Inf,XH_Xh,XH_db,XH_dbstr
'自定义需要过滤的字串,用 "|" 分隔
XH_In
=
"and|exec|insert|select|delete%20from|update|count|*|%|chr|mid|master|truncate|char|declare|drop%20table|from|net%20user|xp_cmdshell|/add|net%20localgroup%20administrators|Asc|char"
'----------------------------------
XH_Inf = split(XH_In,"|")
'--------POST部份------------------
If Request.Form<>"" Then
For Each XH_Post In Request.Form
For XH_Xh=0 To Ubound(XH_Inf)
If Instr(LCase(Request.Form(XH_Post)),XH_Inf(XH_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:POST<br>"
Response.Write "提交参数:"&XH_Post&"<br>"
Response.Write "提交数据:"&Request.Form(XH_Post)
Response.End
End If
Next
Next
End If
'----------------------------------
'--------GET部份-------------------
If Request.QueryString<>"" Then
For Each XH_Get In Request.QueryString
For XH_Xh=0 To Ubound(XH_Inf)
If Instr(LCase(Request.QueryString(XH_Get)),XH_Inf(XH_Xh))<>0 Then
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:GET<br>"
Response.Write "提交参数:"&XH_Get&"<br>"
Response.Write "提交数据:"&Request.QueryString(XH_Get)
Response.End
End If
Next
Next
End If
'----------------------------------
'--------COOKIE部份-------------------
If Request.Cookies<>"" Then
For Each XH_Cookie In Request.Cookies
For XH_Xh=0 To Ubound(XH_Inf)
If Instr(LCase(Request.Cookies(XH_Cookie)),XH_Inf(XH_Xh))<>0 Then
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:Cookie<br>"
Response.Write "提交参数:"&XH_Cookie&"<br>"
Response.Write "提交数据:"&Request.Cookies(XH_Cookie)
Response.End
End If
Next
Next
End If
'----------------------------------
上一篇:ASP SQL注入的防与解
下一篇:ASP数组的使用
讨论数量:0
