SQL通用防注入程序 完美版

<%
'--------版权说明------------------
'SQL通用防注入程序 完美版 By 若寒(X.L.B) QQ:343576462
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,alerts
'自定义需要过滤的字串,用 "|" 分隔
Fy_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|or"
'----------------------------------
%>

<%
Fy_Inf = split(Fy_In,"|")
'--------POST部份------------------
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
    For Fy_Xh=0 To Ubound(Fy_Inf)
      If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
        '--------写入数据库--头--------
        Conn.Execute("insert into evset_NoHackSql(Sqlin_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")
        Conn.close
        Set Conn = Nothing
        '--------写入数据库--尾--------
   call e_alert()
      End If
    Next
Next
End If

'--------GET部份-------------------
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
    For Fy_Xh=0 To Ubound(Fy_Inf)
      If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
        '--------写入数据库--头--------
        Conn.Execute("insert into evset_NoHackSql(SqlIn_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
        Conn.close
        Set Conn = Nothing
        '--------写入数据库--尾--------
   call e_alert()
      End If
    Next
Next
End If

'--------cookies部份-------------------
If Request.Cookies<>"" Then
For Each Fy_Get In Request.Cookies
    For Fy_Xh=0 To Ubound(Fy_Inf)
      If Instr(LCase(Request.Cookies(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
        '--------写入数据库--头--------
        Conn.Execute("insert into evset_NoHackSql(SqlIn_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','Cookies','"&Fy_Get&"','"&replace(Request.Cookies(Fy_Get),"'","''")&"')")
        Conn.close
        Set Conn = Nothing
        '--------写入数据库--尾--------
   call e_alert()
      End If
    Next
Next
End If

Sub e_alert()
alerts = "<"&"Script Language=JavaScript"&">"
alerts = alerts & "alert('请不要试图攻击本站,我们已经记录下你的信息！/n/nhttp://"&Request.ServerVariables("HTTP_HOST")&"//n/nBy:若寒(X.L.B) QQ:343576462');window.opener=null; window.close();"
alerts = alerts & "<"&"/Script"&">"
Response.Write alerts  
Response.End
end Sub
%>