这个SQL防注入程序怎么回事,代码都不能执行了
使用了以下防注入代码
导致 后台 不能 执行 添加数据了。
是因为 过来 字符中 含有 Insert 的缘故?
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|cast|drop"
'================================================= 添加数据代码 ===========================================================
<%
dim username,pass,passI,Flag
username=Trim(Request.Form("USERNAME"))
pass=MD5(Trim(Request.Form("passwrod")))
Flag=Trim(Request.Form("webclass"))
sql="Insert into [USER] (username,password,flag) values ('"&username&"','"&pass&"','"&Flag&"')"
conn.execute(sql)
response.write("<script language='javascript'>alert('Successful operation!');location='UserManage.asp';</script>")
%>
'================================================== 防注入代码 ===========================================================
dim sql_injdata,SQL_inj,SQL_Get,SQL_Data,Sql_Post
SQL_injdata = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|cast|drop"
SQL_inj = split(SQL_Injdata,"|")
If Request.QueryString<>"" Then 'GET 传递防注入
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('SQL防注入系统提示,请不要在尝试注入!');window.close()</Script>"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then 'POST 传递防注入
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "<Script Language=javascript>alert('SQL防注入系统提示,请不要在尝试注入!');window.close()</Script>"
Response.end
end if
next
next
end if