看这篇文章真的防住注入吗?ASP防SQL注入终极防范实例是否有用请高手解答

小獭 2013-01-29 06:33:45

ASP防SQL注入终极防范实例

注意要对所有的request对象进行过滤：包括 request.cookie, request.ServerVariables 等等容易被忽视的对象：

程序代码



function killn(byval s1) '过滤数值型参数

if not isnumeric(s1) then 

killn=0

else

if s1<0 or s1>2147483647 then 

killn=0

else

killn=clng(s1)

end if

end if

end function



function killc(byval s1) '过滤货币型参数

if not isnumeric(s1) then 

killc=0

else

killc=formatnumber(s1,2,-1,0,0)

end if

end function



function killw(byval s1) '过滤字符型参数

if len(s1)=0 then

killw=""

else

killw=trim(replace(s1,"'",""))

end if

end function



function killbad(byval s1) '过滤所有危险字符，包括跨站脚本

If len(s1) = 0 then

killbad=""

else

killbad = trim(replace(replace(replace(replace

(replace(replace(replace(replace(s1,Chr(10), "<br>"), 

Chr(34), """), ">", ">"), "<", "<"), "&", "&"),

chr(39),"'"),chr(32)," "),chr(13),""))

end if

end function

...全文

212 3 打赏收藏转发到动态举报

写回复

用AI写文章

3 条回复

切换为时间正序

请发表友善的回复…

发表回复

小獭 2014-04-06

打赏
举报

<%

id=request.Form("id")
userName=request.Form("userName")
pwd=request.Form("pwd")
sex=request.Form("sex")
if sex="" or isNull(sex) then
sex=null
end if
ip="127.0.0.1"


'//添加
if id="" then
Set Cmd = Server.CreateObject("ADODB.Command")
SQL = "InSert Into Member(userName,pwd,sex) Values(?,?,?)"
With Cmd
.ActiveConnection = Conn
.CommandType = 1
.CommandText =SQL
.Prepared = True
.Parameters(0).Value = userName
.Parameters(1).Value = pwd
.Parameters(2).Value = sex

.Execute
End With
Set Cmd = Nothing
end if

'//编辑
if id<>"" and userName<>"" and pwd<>"" then

SQL="update Member set userName=?,Pwd=?,IP=? where id="&id
Set Cmd = Server.CreateObject("ADODB.Command")
With Cmd
.ActiveConnection = Conn
.CommandType = 1
.CommandText =SQL
.Prepared = True
.Parameters(0).Value = userName
.Parameters(1).Value = pwd
.Parameters(2).Value = ip
.Execute
End With
Set Cmd = Nothing

end if

	if err then 
		response.Write(0)
	else
		response.Write(1)
	end if
%>

用这种方法写添加和修改的方法,可以防注吗?没有用到过滤.忽略数据库链接程序.假设数据库是已经连好的状态下写的添加和更新语句. 谢谢.请大神们给点参考. 再次感谢.