我的添加数据代码被注入,如何防止?
代码如下:
lys_str=myrequest(Request.Form("content"),2)
rs.addNew
Rs("title") = Request.Form("title") '标题
Rs("name") = Request.Form("userName")
Rs("email") = Request.Form("Email") '
Rs("content") = lys_str
Rs("ip")= Request.ServerVariables("REMOTE_ADDR")
Rs("zjcontent")="咨询"'问题分类
rs.update()
--------------
出现的问题:
每当我上传这个页面,不到一分钟,我的数据库中就会重复添加记录,内容是老外的色情网站。一旦注释上面的代码,就停止了。我想就应该是这个页面被注入了。
说明:myrequest 函数是检测防止SQL注入的,代码如下:
function myrequest(myvar,ParaType)
If ParaType=1 then
If not isNumeric(myvar) or myvar="" then
Response.write "<script>alert('参数错误');history.back();</script>"
Response.end
End if
Else
If myvar="" then
Response.write "<script>alert('参数错误');history.back();</script>"
Response.end
else
if instr(myvar,"'")>0 or instr(myvar,"*")>0 or instr(myvar,";")>0 or instr(myvar,"?")>0 or instr(myvar,"=")>0 or Instr(LCase(myvar),"select")>0 or Instr(LCase(myvar),"update")>0 or Instr(LCase(myvar),"delete")>0 or Instr(LCase(myvar),"insert")>0 Then
userip=Request.ServerVariables("REMOTE_ADDR")
errpage=Request.ServerVariables("URL")
useragent=Request.ServerVariables("HTTP_USER_AGENT")
end if
myvar=replace(replace(replace(myvar,"'",""),"*",""),"/","")
myvar=replace(replace(replace(myvar,"\",""),":",""),"<","")
myvar=replace(replace(replace(myvar,">",""),"?",""),"|","")
End if
end if
myrequest=myvar
end function