saferequest.asp

校园二手交易系统,具有完备的后台操作以及应用功能!

<%
Function SafeRequest(str)
  If not isNumeric(str) then
     response.Write "<script>alert('做什么呢！');"
     response.Write "window.history.back();</script>"
     response.end()
  Else
     SafeRequest=str
  End if
End function
%>
<%
Dim StrTemp
StrTemp=request.servervariables("server_name")&request.servervariables("url")&"?"&Request.QueryString
StrTemp=LCase(StrTemp)
If Instr(StrTemp,"select%20") or Instr(StrTemp,"insert%20") or Instr(StrTemp,"delete%20from") or Instr(StrTemp,"count(") or Instr(StrTemp,"drop%20table") or Instr(StrTemp,"asc(") or Instr(StrTemp,"truncate%20") or Instr(StrTemp,"update%20") or Instr(StrTemp,"mid(") or Instr(StrTemp,"chat(") or Instr(StrTemp,"xp_cmdshell") or Instr(StrTemp,"exec%20master") or Instr(StrTemp,"net%20localgroup administrator") or Instr(StrTemp,"net%20user") or Instr(StrTemp,"%20or") or Instr(StrTemp,"%20and") or Instr(StrTemp,"""") or Instr(StrTemp,"'") or Instr(StrTemp,"“") or Instr(StrTemp,"”") or Instr(StrTemp,":") or Instr(StrTemp,": ") or Instr(StrTemp,";") or Instr(StrTemp,"; ") or Instr(StrTemp,",") or Instr(StrTemp,", ") or Instr(StrTemp,"%27") then 
   Response.Write"<script language='javascript'>alert('错误的参数传递，请不要企图破解程序! ');history.back();</script>"
   Response.end
End If
%>