28,391
社区成员
发帖
与我相关
我的任务
分享请问过滤屏蔽SQL注入的函数使用。
希望大家能提供一个过滤函数。
我想用在把表单内容写入数据库部分,用这个函数过滤非法字符。
希望高手指点,谢谢
我想用在把表单内容写入数据库部分,用这个函数过滤非法字符。
希望高手指点,谢谢
...全文
请发表友善的回复…
发表回复
colin310 2004-12-11
- 打赏
- 举报
tianshiyumao(天使的羽毛) 说的还是不错的
你可以把函数写成独立的函数,就跟用在文件首部加入<--#include file=MD5.asp-->
在需要加密的地方就直接可以用md5(username)一样了
你可以把函数写成独立的函数,就跟用在文件首部加入<--#include file=MD5.asp-->
在需要加密的地方就直接可以用md5(username)一样了
hubei_university 2004-12-11
- 打赏
- 举报
NO.1
'=================================================
'过程名:SafeRequest
'作 用:防SQL注入函数,安全调用
'参 数:无
'=================================================
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "<script>alert('靠!你想干什么???');window.location.href='/index.asp'</script>"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
NO.2
Sub ChkRequest()
Dim k,str,Rtype
Rtype=Request.ServerVariables("REQUEST_METHOD")
If Rtype="GET" Then
for each k in request.querystring
str=request.item(k)
if instr(str,"'")<>0 or instr(str,";")<>0 or instr(str,"#")<>0 or instr(str,"%")<>0 or instr(str,"<")<>0 or instr(str,">")<>0 or instr(str,"=")<>0 or instr(str,",")<>0 or instr(str,")")<>0 or instr(str,"(")<>0 then
Response.Write("<script language=""javascript"">alert('"&replace(str,"'","")&"中含有特殊字符!');location='javascript:history.back()';</script>")
Response.End()
End If
Next
End If
end sub
NO.3
<%
'防止SQL注入
'请在有 ?id="" 这种页面里加入此文件,方法是 直接INCLUDE
Err_Message = 1 '处理方式:1=提示信息,2=转向页面,3=先提示再转向
Err_Web = "/web/" '出错时转向的页面
Query_Badword="'∥and∥select∥update∥chr∥delete∥%20from∥;∥insert∥mid∥master.∥set∥chr(37)∥="
'在这部份定义get非法参数,使用"∥"号间隔
Form_Badword="'∥%∥&∥*∥#∥@∥(∥)∥=" '在这部份定义post非法参数,使用"∥"号间隔
'------定义部份 尾-----------------------------------------------------------------------
On Error Resume Next
'----- 对 get query 值 的过滤.
if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"∥")
FOR EACH Query_Name IN Request.QueryString
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_Name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&" 的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&"的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
End if
'-----对 post 表 单值的过滤.
if request.form<>"" then
Chk_badword=split(Form_Badword,"∥")
FOR EACH name IN Request.Form
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.form(name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('出错了!表单 "&name&" 的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('出错了!参数 "&name&"的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
end if
%>
NO.5
Function SafeRequest(ParaName)
Dim ParaValue
ParaValue=Request(ParaName)
if IsNumeric(ParaValue) = True then
SafeRequest=ParaValue
exit Function
elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then
Response.Write "<script language='javascript'>"
Response.Write "alert('非法的请求!');" '发现SQL注入攻击提示信息
Response.Write "location.href='http://www.hubu.edu.cn';" '发现SQL注入攻击转跳网址
Response.Write "<script>"
Response.end
else
SafeRequest=ParaValue
End If
End function
使用SafeRequest函数替换掉Request
'=================================================
'过程名:SafeRequest
'作 用:防SQL注入函数,安全调用
'参 数:无
'=================================================
Function SafeRequest(ParaName,ParaType)
'--- 传入参数 ---
'ParaName:参数名称-字符型
'ParaType:参数类型-数字型(1表示以上参数是数字,0表示以上参数为字符)
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "<script>alert('靠!你想干什么???');window.location.href='/index.asp'</script>"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
NO.2
Sub ChkRequest()
Dim k,str,Rtype
Rtype=Request.ServerVariables("REQUEST_METHOD")
If Rtype="GET" Then
for each k in request.querystring
str=request.item(k)
if instr(str,"'")<>0 or instr(str,";")<>0 or instr(str,"#")<>0 or instr(str,"%")<>0 or instr(str,"<")<>0 or instr(str,">")<>0 or instr(str,"=")<>0 or instr(str,",")<>0 or instr(str,")")<>0 or instr(str,"(")<>0 then
Response.Write("<script language=""javascript"">alert('"&replace(str,"'","")&"中含有特殊字符!');location='javascript:history.back()';</script>")
Response.End()
End If
Next
End If
end sub
NO.3
<%
'防止SQL注入
'请在有 ?id="" 这种页面里加入此文件,方法是 直接INCLUDE
Err_Message = 1 '处理方式:1=提示信息,2=转向页面,3=先提示再转向
Err_Web = "/web/" '出错时转向的页面
Query_Badword="'∥and∥select∥update∥chr∥delete∥%20from∥;∥insert∥mid∥master.∥set∥chr(37)∥="
'在这部份定义get非法参数,使用"∥"号间隔
Form_Badword="'∥%∥&∥*∥#∥@∥(∥)∥=" '在这部份定义post非法参数,使用"∥"号间隔
'------定义部份 尾-----------------------------------------------------------------------
On Error Resume Next
'----- 对 get query 值 的过滤.
if request.QueryString<>"" then
Chk_badword=split(Query_Badword,"∥")
FOR EACH Query_Name IN Request.QueryString
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.QueryString(Query_Name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&" 的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('传参错误!参数 "&name&"的值中包含非法字符串!\n\n请不要在参数中出现:and update delete ; insert mid master 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
End if
'-----对 post 表 单值的过滤.
if request.form<>"" then
Chk_badword=split(Form_Badword,"∥")
FOR EACH name IN Request.Form
for i=0 to ubound(Chk_badword)
If Instr(LCase(request.form(name)),Chk_badword(i))<>0 Then
Select Case Err_Message
Case "1"
Response.Write "<Script Language=JavaScript>alert('出错了!表单 "&name&" 的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Err_Web&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert('出错了!参数 "&name&"的值中包含非法字符串!\n\n请不要在表单中出现: % & * # ( ) 等非法字符!');location.href='"&Err_Web&"';</Script>"
End Select
Response.End
End If
NEXT
NEXT
end if
%>
NO.5
Function SafeRequest(ParaName)
Dim ParaValue
ParaValue=Request(ParaName)
if IsNumeric(ParaValue) = True then
SafeRequest=ParaValue
exit Function
elseIf Instr(LCase(ParaValue),"select ") > 0 or Instr(LCase(ParaValue),"insert ") > 0 or Instr(LCase(ParaValue),"delete from") > 0 or Instr(LCase(ParaValue),"count(") > 0 or Instr(LCase(ParaValue),"drop table") > 0 or Instr(LCase(ParaValue),"update ") > 0 or Instr(LCase(ParaValue),"truncate ") > 0 or Instr(LCase(ParaValue),"asc(") > 0 or Instr(LCase(ParaValue),"mid(") > 0 or Instr(LCase(ParaValue),"char(") > 0 or Instr(LCase(ParaValue),"xp_cmdshell") > 0 or Instr(LCase(ParaValue),"exec master") > 0 or Instr(LCase(ParaValue),"net localgroup administrators") > 0 or Instr(LCase(ParaValue)," and ") > 0 or Instr(LCase(ParaValue),"net user") > 0 or Instr(LCase(ParaValue)," or ") > 0 then
Response.Write "<script language='javascript'>"
Response.Write "alert('非法的请求!');" '发现SQL注入攻击提示信息
Response.Write "location.href='http://www.hubu.edu.cn';" '发现SQL注入攻击转跳网址
Response.Write "<script>"
Response.end
else
SafeRequest=ParaValue
End If
End function
使用SafeRequest函数替换掉Request
jammy78 2004-12-11
- 打赏
- 举报
不明白用法
jammy78 2004-12-11
- 打赏
- 举报
<%ddd%>
liujinhuagirl 2004-12-07
- 打赏
- 举报
顶!
Coyozo 2004-12-07
- 打赏
- 举报
先定义一个CheckString函数 你可以保存到一个ASP文件中也可以直接放在当前页
function CheckString(Message)
Message = Replace(Message, Chr(0), "")
CheckString = Replace(Message,"'","''")'在这里定义需要屏蔽的字符
end function
function CheckString(Message)
Message = Replace(Message, Chr(0), "")
CheckString = Replace(Message,"'","''")'在这里定义需要屏蔽的字符
end function
tianshiyumao 2004-12-07
- 打赏
- 举报
但是如果光这样弄的话,,在写入数据库的时候不是还可以一样注入吗?比如
username=request.form("username")
password=request.form("password")
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
这个时候别人不是还可以用表单的方法注入吗?
如果上边那段代码我写成这样是不是就不怕注入了呢?
<--包含过滤文件-->
username=checkStr(request.form("username"))
password=checkStr(request.form("password"))
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
username=request.form("username")
password=request.form("password")
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
这个时候别人不是还可以用表单的方法注入吗?
如果上边那段代码我写成这样是不是就不怕注入了呢?
<--包含过滤文件-->
username=checkStr(request.form("username"))
password=checkStr(request.form("password"))
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
duduwolf 2004-12-07
- 打赏
- 举报
我一般在地址栏上传值只传整数变量的,尽量避免传常规字符串,我觉得这样最保险
baikaishui_0825 2004-12-07
- 打赏
- 举报
你写个包含文件把这个函数包含进去
就可以checkStr(str)直接使用了
就可以checkStr(str)直接使用了
tianshiyumao 2004-12-07
- 打赏
- 举报
function checkStr(str)
if isnull(str) then
checkStr = ""
exit function
end if
str = Replace(str, Chr(0), "")
checkStr=replace(str,"'","''")
end function
这段代码用在什么位置啊?
不会用啊。帮帮小妹吧。
if isnull(str) then
checkStr = ""
exit function
end if
str = Replace(str, Chr(0), "")
checkStr=replace(str,"'","''")
end function
这段代码用在什么位置啊?
不会用啊。帮帮小妹吧。
tianshiyumao 2004-12-07
- 打赏
- 举报
55555555,还是不会用啊,有没有能像MD5那样的方法,
在文件首部加入<--#include file=MD5.asp-->
在需要加密的地方就直接可以用md5(username)
这样的方法啊。。。
在文件首部加入<--#include file=MD5.asp-->
在需要加密的地方就直接可以用md5(username)
这样的方法啊。。。
lienzhu 2004-12-07
- 打赏
- 举报
function checkStr(str)
if isnull(str) then
checkStr = ""
exit function
end if
str = Replace(str, Chr(0), "")
checkStr=replace(str,"'","''")
end function
if isnull(str) then
checkStr = ""
exit function
end if
str = Replace(str, Chr(0), "")
checkStr=replace(str,"'","''")
end function
baikaishui_0825 2004-12-07
- 打赏
- 举报
js版的防范SQL注入式攻击代码~:
[CODE START]
<script language="javascript">
<!--
var url = location.search;
var re=/^\?(.*)(select |insert |delete from |count\(|drop table|update truncate |asc\(|mid\(|char\(|xp_cmdshell|exec master|net localgroup administrators|\"|:|net user|\'| or )(.*)$/gi;
var e = re.test(url);
if(e) {
alert("地址中含有非法字符~");
location.href="error.asp";
}
//-->
<script>
[CODE END]
asp版的防范SQL注入式攻击代码~:
[CODE START]
<%
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & Request.ServerVariables("SERVER_NAME")
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = LCase(strTemp)
If Instr(strTemp,"select ") or Instr(strTemp,"insert ") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"update ") or Instr(strTemp,"truncate ") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp,":") or Instr(strTemp,"net user") or Instr(strTemp,"'") or Instr(strTemp," or ") then
Response.Write "<script language='javascript'>"
Response.Write "alert('非法地址!!');"
Response.Write "location.href='error.asp';"
Response.Write "<script>"
End If
%>
[CODE END]
以下是较为简单的防范方法,这些都是大家比较熟悉的方法,我就是转帖过来。希望能给你一点帮助~
主要是针对数字型的变量传递:
id = Request.QueryString("id")
If Not(isNumeric(id)) Then
Response.Write "非法地址~"
Response.End
End If
[CODE START]
<script language="javascript">
<!--
var url = location.search;
var re=/^\?(.*)(select |insert |delete from |count\(|drop table|update truncate |asc\(|mid\(|char\(|xp_cmdshell|exec master|net localgroup administrators|\"|:|net user|\'| or )(.*)$/gi;
var e = re.test(url);
if(e) {
alert("地址中含有非法字符~");
location.href="error.asp";
}
//-->
<script>
[CODE END]
asp版的防范SQL注入式攻击代码~:
[CODE START]
<%
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp = "http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & Request.ServerVariables("SERVER_NAME")
If Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp = strTemp & ":" & Request.ServerVariables("SERVER_PORT")
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = LCase(strTemp)
If Instr(strTemp,"select ") or Instr(strTemp,"insert ") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"update ") or Instr(strTemp,"truncate ") or Instr(strTemp,"asc(") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp,":") or Instr(strTemp,"net user") or Instr(strTemp,"'") or Instr(strTemp," or ") then
Response.Write "<script language='javascript'>"
Response.Write "alert('非法地址!!');"
Response.Write "location.href='error.asp';"
Response.Write "<script>"
End If
%>
[CODE END]
以下是较为简单的防范方法,这些都是大家比较熟悉的方法,我就是转帖过来。希望能给你一点帮助~
主要是针对数字型的变量传递:
id = Request.QueryString("id")
If Not(isNumeric(id)) Then
Response.Write "非法地址~"
Response.End
End If
phoubes 2004-12-07
- 打赏
- 举报
过滤掉不合法的SQL字符就好了
up一下
up一下
sjjf 2004-12-07
- 打赏
- 举报
更正,
转移--〉反转义
转移--〉反转义
sjjf 2004-12-07
- 打赏
- 举报
忠告:
1。不要把字符串过滤了再存入数据库,
除非,信息一次性写入后以后不再做修改,也不用做别的sql的输入。只是用来在web上浏览。
2。在过滤的时候不要多也不要少,仅对语言的边界和sql的边界字符进行转移即可。
1。不要把字符串过滤了再存入数据库,
除非,信息一次性写入后以后不再做修改,也不用做别的sql的输入。只是用来在web上浏览。
2。在过滤的时候不要多也不要少,仅对语言的边界和sql的边界字符进行转移即可。
tianshiyumao 2004-12-07
- 打赏
- 举报
username=checkStr(request.form("username"))
password=checkStr(request.form("password"))
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
这种用法算不算恰当呢。
password=checkStr(request.form("password"))
sql="select ....."
rs.open sql,conn,1,2
rs.addnew
rs("username")=username
rs("password")=password
rs.update
rs.close
这种用法算不算恰当呢。
