📄 cf_sql.asp

📁 易和阳光购物商城 v1.3 | 功能简介增加了防注入文件
💻 ASP
字号:
<%
'----------------------------------------------------------------------
'转发时请保留此声明信息,这段声明不并会影响你的速度!
'*******************    尘封防SQL注入 V1.0   ********************************
'作者:尘封 QQ:275171
'电子邮件:275171@qq.com 
'网站:http://www.1715.cn http://www.77do.com
'QQ群:13683242(ASP爱好者群)
'此程序测试地址:http://www.77do.com/sql/index.asp
'声明:在做此防SQL之前，我个人都是使用网上那些的防SQL注入，因为那些防SQL有个共同点，就是屏蔽某一SQL语句需要的关键字，前些时间我接了一个国外的程序外包，因此程序的使用者都是些国外用户，如果使用网上那些SQL注入的话，屏蔽:'|select|update|chr|char等等 字符或单词，给国外用户带了非常大的不便，如 I'm等就无法输入。因此开发了此防SQL注入。可能程序还不够完善，希望大家多提提意见，一起来完善此程序。
'使用说明:在数据库连接页(如:conn.asp)或你要防注入的页头内包含此文件即可。<!--@include file="CF_Sql.asp"-->(将@改为#)


Dim CFSql_i,CFSql_Sqlchr,CFSql_ChrContent
CFSql_Sqlchr = "select*|and'|or'|insertinto|deletefrom|altertable|update|createtable|createview|dropview|createindex|dropindex|createprocedure|dropprocedure|createtrigger|droptrigger|createschema|dropschema|createdomain|alterdomain|dropdomain|);|select@|declare@|print@|char(|select"
CFSql_Sqlchrs = split(CFSql_Sqlchr,"|")


'======================================================
'Post方式处理
'======================================================
If Request.Form<>"" Then
   For Each CFSql_ChrContent In Request.Form
     For CFSql_i=0 to Ubound(CFSql_Sqlchrs)
	   Select Case CFSql_Sqlchrs(CFSql_i)
	   Case "select"'为避免select的多表关联查询
	      If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"select")>0 and Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"from")>0 Then
		    Call CFSql_PromptTitle()
		  End IF	   
	   Case "update"'update作额外处理,因update..set..
	      If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"update")>0 and Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),"set")>0 Then
		    Call CFSql_PromptTitle()
		  End IF		  
	   Case Else
	      If Instr(LCase(replace(Request.Form(CFSql_ChrContent)," ","")),CFSql_Sqlchrs(CFSql_i))>0 Then
		    Call CFSql_PromptTitle()
		  End IF
	   End Select
     Next
   Next	   
End IF



'======================================================
'Get方式处理
'======================================================
If Request.QueryString<>"" Then
   For Each CFSql_ChrContent In Request.QueryString
     For CFSql_i=0 to Ubound(CFSql_Sqlchrs)
	   Select Case CFSql_Sqlchrs(CFSql_i)
	   Case "select"'为避免select的多表关联查询
	      If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"select")>0 and Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"from")>0 Then
		    Call CFSql_PromptTitle()
		  End IF	   
	   Case "update"'update作额外处理,因update..set..
	      If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"update")>0 and Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),"set")>0 Then
		    Call CFSql_PromptTitle()
		  End IF		  
	   Case Else
	      If Instr(LCase(replace(Request.QueryString(CFSql_ChrContent)," ","")),CFSql_Sqlchrs(CFSql_i))>0 Then
		    Call CFSql_PromptTitle()
		  End IF
	   End Select
     Next
   Next	   
End IF


Sub CFSql_PromptTitle()
Response.Write "<Script Language=JavaScript>alert('SQL通用防注入系统提示你↓\n\n请不要在参数中包含非法字符尝试注入！\n\nhttp://www.1715.cn\n\http://www.77do.com  \n\n系统版本:V1.0(ASP)版 By:尘封');</Script>"
response.Write "<script LANGUAGE='javascript'>history.go(-1);</script>"
response.End()'提示就结束输出
End Sub%>
💿 文件大小 1074 K
👤 上传用户 spy0207
📂 所属分类其他
🏷️ 相关标签

#1.3 #商城
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -