一段简单的ASP防SQL注入函数

作者: 小古 分类: 网站技术 发布时间: 2012-1-4 ė8266 次浏览 60 条评论

一段简单的ASP防SQL注入函数,这些都是很简单的,相信大家都能看得明白!

 

<%
Function sqlzr(ParaName)
 if ParaName <> "" then
  if IsNumeric(ParaName) = True then
   sqlzr=ParaName
   exit Function
  elseIf Instr(LCase(ParaName),"select ") > 0 or Instr(LCase(ParaName),"insert ") > 0 or Instr(LCase(ParaName),"delete from") > 0 or Instr(LCase(ParaName),"count(") > 0 or Instr(LCase(ParaName),"drop table") > 0 or Instr(LCase(ParaName),"update ") > 0 or Instr(LCase(ParaName),"truncate ") > 0 or Instr(LCase(ParaName),"asc(") > 0 or Instr(LCase(ParaName),"mid(") > 0 or Instr(LCase(ParaName),"char(") > 0 or Instr(LCase(ParaName),"xp_cmdshell") > 0 or Instr(LCase(ParaName),"exec master") > 0 or Instr(LCase(ParaName),"net localgroup administrators") > 0   or Instr(LCase(ParaName)," and ") > 0 or Instr(LCase(ParaName),"net user") > 0 or Instr(LCase(ParaName)," or ") > 0 then
   Response.Write "<script language='javascript'>"
   Response.Write "alert('非法的请求!');"
   Response.Write "</script>"
   Response.end
  else
   sqlzr=ParaName
  End If
 End If
End function

response.write sqlzr("dfgdgfh")
%>

本文出自 小古Blog,转载时请注明出处及相应链接。

本文永久链接: http://blog.chdz1.com/?post=131

|

发表评论:

电子邮件地址不会被公开。 必填项已用*标注

Ɣ回顶部
sitemap