1、在conn文件,也就是数据库连接文件开始的地方加上以下代码:
'用于防止sql注入
Dim AllStr,Str,ComeUrlGet,ComeUrlPost,sGet,sPost,i
AllStr="'|;|and|chr(|exec|insert|select|delete from|update|mid(|master."
ComeUrlPost=request.Form
str=Split(AllStr,"|")
'post
if ComePost<>""then
for each sPost in request.Form
for i=0 to Ubound(Str)
if Instr(LCase(Request.Form(sPost)),Str(i))<>0 then
Response.Write("请勿使用非法途径进入本站!")
response.End()
end if
next
next
end if
'get
if ComePost<>""then
for each sPost in request.Form
for i=0 to Ubound(Str)
if Instr(LCase(Request.Form(sGet)),Str(i))<>0 then
Response.Write("请勿使用非法途径进入本站!")
response.End()
end if
next
next
end if
这个是过滤注入字符的!
2、处理你页面传值时的参数用替换的方法把危险的字符去掉。你可以直接用下面的函数处理
Public function HTMLcode(fString)
if not isnull(fString) then
fString = Replace(fString, ">", ">")
fString = Replace(fString, "<", "<")
fString = Replace(fString, CHR(32), " ")
fString = Replace(fString, CHR(9), " ")
fString = Replace(fString, CHR(34), """)
fString = Replace(fString, CHR(39), "'")
fString = Replace(fString, CHR(13), "")
fString = Replace(fString, CHR(10) & CHR(10), "</P><P> ")
fString = Replace(fString, CHR(10), "<BR> ")
HTMLcode = fString
end if
end function
3、将你的数据库文件后缀名改掉,防止别人猜到你的地址,将你的数据库下下来!
4、下个测漏洞的软件测一下测一下!如果找不到可以联系我:qq:582955596或者:949346928
<%
spl1str = "'|;|and|exec|insert|select|update|count|*|%|chr|master|truncate|char|declare|<|>|[|]|="
spl2str = split(spl1str,"|")
if request.querystring<>"" then
for each spl3str in request.querystring
for spl4str = 0 to ubound(spl2str)
if instr(lcase(request.querystring(spl3str)),spl2str(spl4str))<>0 then
response.Write"<script language=javascript>alert(' 您的IP已提交至数据库!\n\n做坏事,睡觉时请摸下自己良心!\n\n别无聊了兄弟,做点正经事吧,别侮辱自己的技术!');this.location.href='index.asp';</script>"
response.end
end if
next
next
end if
%>